OS X Troubleshooting about hostscan-bypass HOT 47 CLOSED

Hi there @megastallman. I think I have a solution for you.

Create a file in the repository called 'config.json'

Populate it with the following (to suit your needs - i set the common name to the hostname of the internal IP i was using):

{
    "TLS":{
            "Country":["US"],
            "Org":["megastallman"],
            "CommonName":"10.10.10.20"
    },
    "Certfile":""
}

Then, run the hostscan-bypass.go program as such:

sudo go run hostscan-bypass.go -c config.json -l 10.10.10.20 -p 443 -r remote-vpn.example.com:443 -s

Now, I added the certificate to my mac's keychain by fetching it with openssl and then saving it to a file. Then I opened it. However, I'm not sure this really matters because AnyConnect still complains that the cert is invalid:

openssl s_client -showcerts -connect 10.10.10.20:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem && open mycert.pem

Once your keychain opens up, make sure you modify the ca/cert to be trusted.

Ensure that the checkbox in your AnyConnect preferences is still set to not block invalid certs, type in the IP or hostname of your internal host and hit connect. Voila

You should now have a successfully saved hostscan-bypass.sh in your folder!

from hostscan-bypass.

Hi there @megastallman. I think I have a solution for you.

Create a file in the repository called 'config.json'

Populate it with the following (to suit your needs - i set the common name to the hostname of the internal IP i was using):

{
    "TLS":{
            "Country":["US"],
            "Org":["megastallman"],
            "CommonName":"10.10.10.20"
    },
    "Certfile":""
}

Then, run the hostscan-bypass.go program as such:

sudo go run hostscan-bypass.go -c config.json -l 10.10.10.20 -p 443 -r remote-vpn.example.com:443 -s

Now, I added the certificate to my mac's keychain by fetching it with openssl and then saving it to a file. Then I opened it. However, I'm not sure this really matters because AnyConnect still complains that the cert is invalid:

openssl s_client -showcerts -connect 10.10.10.20:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem && open mycert.pem

Once your keychain opens up, make sure you modify the ca/cert to be trusted.

Ensure that the checkbox in your AnyConnect preferences is still set to not block invalid certs, type in the IP or hostname of your internal host and hit connect. Voila

You should now have a successfully saved hostscan-bypass.sh in your folder!

Thanks so much! I had a working connection and it stopped working. This worked perfectly! Arch Linux for anyone else looking and comes across this.

from hostscan-bypass.

Thanks @cjbirk !

It works on Linux, and in a couple of days I will ask mac users to sniff the 'corporate' reply. I hope to overcome those company's network restrictions, that currently I'm cheating around with sshuttle over openconnect.

from hostscan-bypass.

Hi,

Thanks for this tool.

I found an alternative which is pretty straightforward (does not require to change AnyConnect preferences or trust invalid certificates)

Install ngrok and run ngrok http https://<YOUR IP>

Then use AnyConnect to connect to the https url generated by ngrok.

Juan

from hostscan-bypass.

@desilinguist this tool is great and needed! ngrok helps executing it on a macOS environment. The reason is that Cisco AnyConnect VPN Client will refuse to connect to <MY IP>, but will be happy to connect to the one generated by ngrok, which is public domain with a valid SSL certificate (ngrok tunnels traffic to <MY IP>)

from hostscan-bypass.

Ah, got it now! Thanks!

from hostscan-bypass.

Full disclosure, I never tested this using a Linux or OS X client. When I built the tool I used a Windows client. I do not have the development environment available to test Linux and OS X clients. However, I'm interested in seeing if we can make this work. This may require a bit of troubleshooting on your part- please let me know if you manage to get it working!

Take a look around the Linux/OS X AnyConnect client and try to find a setting like Block connections to untrusted servers as seen here on the Windows client. The error sounds like it's a certificate issue. The AnyConnect client does not trust your MITM machine.

from hostscan-bypass.

Hi @Gilks

It looks strange that you don't have a Linux dev environment. You can google the anyconnect-linux64-4.6.03049-predeploy-k9.tar.gz file that I've tried and didn't succeed.
The sniff has succeeded on anyconnect-win-4.6.03049-core-vpn-predeploy-k9.msi
As of the Block connections to untrusted servers checkbox - I double check it every time and agree to proceed with an untrusted server.

from hostscan-bypass.

I appreciate your awareness. It sounds like there may be a misunderstanding around what is required to develop this project. Allow me to explain.

The Linux development environment is not limited to the distribution and AnyConnect binary. In addition to the aforementioned requirements, the developer also requires a valid Cisco VPN that publishes the hostscan binaries for Linux.

I do not have a valid VPN that publishes Linux hostscan binaries. Therefore I do not have the resources to support this request. When I have the opportunity (and authorization) to utilize a companies VPN page for the continued development of this project, I will happily do so.

Thanks again for taking the time to use the bypass!

from hostscan-bypass.

Oh, I understand that!

Your vpn is much more locked down than ours. Ours does not allow downloading the installer from a web page, barely from the times I joined that company, but still updates it and provides the trojans. Some years ago I've been unpacking the ASA image at my study courses and saw it containing Linux, macos and necrosoft window versions of installers and trojans, respectively.
That company just breaks networking, locking down all ports I use, so I'm currently using sshuttle to make double VPN. Just to do my work.
So it would be really great to do what this script does...

from hostscan-bypass.

I'm curious- is there a reason you need to intercept Linux/OS X? If you are able to intercept the Windows AnyConnect client connection, you can connect to the network with Linux/OS X using OpenConnect.

from hostscan-bypass.

It looks like this:
DAP-policies require some kind of strange shitware installed, something like particular versions of particular [anti]viruses and such. Another, most of ports are blocked, so now I'm using sshuttle to a jumphost just to do my work. That window-sniff test I did - is run from a necrosoft IE testing Virtualbox template. It does not get all required values, just the keys. I know no-one on a window corporate laptop to ask to connect to my sniffer host, but there are some corporate macos users, that definitely can. I've also tried to sniff myself on my kubuntu machine and got the same problems that macos users have, so I concluded, if I can sniff on linux, then I'd try doing that with macos again.... There is also a way to ask for a corporate window laptop, but this idea makes me sick and tired of this game. Of course they can fire me, but I don't care that much about that.

One more disclosure... About 3 years ago I've been working for a company, called Cisco Systems. After I couldn't connect with Cisco Anydisconnect, they've issued me a nice Vpnc config, so that I've been really happy. But now I'm working for another company that really makes use of these Cisco tools to build some kind of Soviet-style walled garden.

from hostscan-bypass.

Ah, that makes sense. You worked for Cisco Systems? What a small world! Without access to OS X there isn't much I can do to help. I've only got two ideas:

1. Try uninstalling and reinstalling the OS X AnyConnect client. Perhaps a local config file is driving the software and ignoring your attempts to allow connections to untrusted VPN servers. I strongly believe that once you get the AnyConnect client to connect to your MITM machine that you will successfully generate a CSD file.

2. When developing this script, I found an OS X OpenConnect CSD file that reports back that ClamAV is installed. Perhaps you might get lucky and it will work. Here is the gist. If this works you should successfully connect to the network with your Linux host.

from hostscan-bypass.

Yeah, some years ago I've been involved into ESA/WSA and Cisco-cloud.
I'll try to as our macos users to reinstall the anydisconnect client, but I don't think that is possible.
As for Linux machines - I've tried both on my Kubuntu laptop and on the Kubuntu LiveUSB image. The first one can have some residual configs, but the LiveUSB is always clean. And got the same issue.

from hostscan-bypass.

Good news! I found a way to get my hands on an OS X machine temporarily. I was able to reproduce the exact scenario you were describing where the error message AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. Connection attempt has failed. occurred even when the Block connections to untrusted servers was unchecked.

I found that removing the TLS Proxy command line argument -s allowed OS X to make a connection to the MITM machine successfully. You must also ensure the Block connections to untrusted servers is still unchecked. The full syntax is as follows:

sudo go run hostscan-bypass.go -l <Local IP> -p 443 -r YOUR_VPN.com:443

Let me know how this works!

from hostscan-bypass.

Hey @megastallman. Did you get a chance to check this out?

from hostscan-bypass.

Not yet. Hope to try this week.

from hostscan-bypass.

Closing issue due to inactivity.

from hostscan-bypass.

Hi @Gilks !
Sorry for a long reply. So I've found a mac to try.

When I omit the '-s' option, I get the following result:
`From Client [0]:
00000000 16 03 01 00 a2 01 00 00 9e 03 03 31 4c b8 77 6e |...........1L.wn|
00000010 17 aa e5 a5 0f eb d7 35 16 22 3f 66 7d b2 fe 8d |.......5."?f}...|
00000020 58 d0 c9 f5 f9 45 04 05 f4 76 ec 00 00 2c c0 2c |X....E...v...,.,|
00000030 c0 30 00 9f 00 9d c0 24 c0 28 00 6b 00 3d c0 2b |.0.....$.(.k.=.+|
00000040 c0 2f 00 9e 00 9c c0 23 c0 27 00 67 00 3c 00 39 |./.....#.'.g.<.9|
00000050 00 35 00 33 00 2f 00 0a 00 ff 01 00 00 49 00 0b |.5.3./.......I..|
00000060 00 04 03 00 01 02 00 0a 00 0a 00 08 00 19 00 18 |................|
00000070 00 17 00 13 00 0d 00 20 00 1e 06 01 06 02 06 03 |....... ........|
00000080 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 |................|
00000090 03 03 02 01 02 02 02 03 00 10 00 0b 00 09 08 68 |...............h|
000000a0 74 74 70 2f 31 2e 31 |ttp/1.1|

From Client [0]:
00000000 16 03 03 01 06 10 00 01 02 01 00 0d d7 df c5 4c |...............L|
00000010 91 89 e1 ba 22 c5 17 b1 3d 44 31 1a dc ea 96 42 |...."...=D1....B|
00000020 e3 47 41 d3 06 4a 48 fc 7b 8a cb bc 44 47 6c 93 |.GA..JH.{...DGl.|
00000030 79 5d 5c 1d 37 d7 30 5d f6 27 02 29 15 11 46 11 |y].7.0].'.)..F.|
00000040 19 eb d4 74 a1 28 de e0 be f1 6f c4 c2 73 6b 43 |...t.(....o..skC|
00000050 f6 75 d4 42 0c 2a e1 c7 5c 88 90 41 2d f3 ff 3d |.u.B.....A-..=|
00000060 a8 b1 ea 1c 1c b3 28 4f 33 49 cd f8 a8 39 2a 38 |......(O3I...98|
00000070 97 b3 18 a5 75 2d d6 cc 2d 06 4b f6 03 e2 f0 c6 |....u-..-.K.....|
00000080 92 dc 97 79 05 cc 74 86 20 83 9e 8c 1e ee 94 8d |...y..t. .......|
00000090 91 12 90 af 54 16 4d 46 81 35 c3 b6 80 de 10 11 |....T.MF.5......|
000000a0 d6 a0 d1 d2 e4 b1 69 e3 92 6b 5d da 3b e6 79 9e |......i..k].;.y.|
000000b0 73 1e 5a 94 5b 20 46 44 c1 ba bc 95 5e e4 93 0d |s.Z.[ FD....^...|
000000c0 6e f3 24 c0 49 f3 3f c2 23 78 cd 79 50 9e 28 73 |n.$.I.?.#x.yP.(s|
000000d0 e3 e7 29 18 51 87 02 1d 06 3d 61 18 3e e0 69 23 |..).Q....=a.>.i#|
000000e0 82 d3 cf 47 47 46 c8 a3 1e a5 9a 3e 43 0d a9 70 |...GGF.....>C..p|
000000f0 b8 02 87 1f a0 9b 80 bf b7 14 e1 77 a5 e2 92 6f |...........w...o|
00000100 76 22 8b 34 5f a6 fe 0b 6f 43 aa 14 03 03 00 01 |v".4_...oC......|
00000110 01 16 03 03 00 40 06 ba 93 98 fc df 32 1d 70 7d |[email protected]}|
00000120 58 90 35 9e 90 23 88 5b 4f f2 b4 b5 82 74 a0 7a |X.5..#.[O....t.z|
00000130 e5 82 c9 0e 46 72 fd 4b 99 10 05 6d d2 5e d5 3e |....Fr.K...m.^.>|
00000140 ae d6 a3 7c 62 57 73 e7 50 eb ce d0 9d 8d b5 9c |...|bWs.P.......|
00000150 09 db 4d 3d 6f 9f |..M=o.|`

And it couldn't get the proper end of the stream, printing EOF read tcp 10.10.0.2:55462-><IP>:443: use of closed network connection [*] Accepted from: <CLIENT-IP>:52733 [*][4] Connected to server: <IP>:443 From Client [4]:

So the try is basically unsuccessful.

Thanks in advance!

I think we can reopen the issue.

from hostscan-bypass.

I apologize but I cannot be of anymore help. I would need the actual machine producing that output to troubleshoot this any further. I have no way of reproducing the bug. I'm out of ideas unfortunately.

If you troubleshoot the issue and have any questions you think I can answer I will happily help.

from hostscan-bypass.

That's awesome to hear. I'm glad it worked for you

from hostscan-bypass.

I can't get this to work on Linux or mac @cjbirk. I just get the same EOF issue no matter what.

from hostscan-bypass.

Did you try the solution posted by @cjbirk ?

from hostscan-bypass.

Yeah, I tagged the wrong user 🤦‍♂️

from hostscan-bypass.

Hi @m0ngr31 !
As you may know, I've succeeded with the sniffing. Now I'm sending a macos reply from my Kubuntu laptop, which is not that corporate. So, what works and doesn't:

• necrosoft window, official client. Without config.json
• Linux, openconnect. With config.json, without adding a certificate.
• Linux, official client. With config.json, without adding a certificate.
• Macos, Shimo(a proprietary Openconnect wrapper. Needs on of the bash trojan wrappers, that work with darwin). With config.json, without adding a certificate. <-- This is the one that helped me! Thanks much guys!
• Macos, official client. With config.json, without adding a certificate. Did NOT work. I suppose, the problem is that we didn't try to add a certificate.

There could be more options, but I've got satisfied with a Macos Shimo reply.

from hostscan-bypass.

So, @m0ngr31 , what is your situation? Maybe we can work it around somehow? Maybe you can just try Openconnect or Shimo on a corp laptop?

from hostscan-bypass.

I have a corporate Macbook with my personal linux box I'm trying to use to do the MITM. I think I got it working with some csd-wrapper scripts last night though.

from hostscan-bypass.

Hello guys,
Thank you so much for your brilliant research, i am stuck at level two:-

Administrator@Star-pc MINGW64 /c/projects/go/src/github.com/gilks/hostscan-bypass (master)
$ sudo go run hostscan-bypass.go -l 10.10.10.8 -p 443 -r remote-vpn.example.com :443 -s
[] Listening for AnyConnect client connection..
[] Accepted from: 10.10.10.8:49820

This is what i am getting when i use AnyConnect and connect to 10.10.10.8
"connection attempt has timed out. please verify internet connectivity"

from hostscan-bypass.

from hostscan-bypass.

Hello @megastallman ,

I am stuck at last phase, below is the error message:-

$ openssl s_client -showcerts -connect 10.10.10.8 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem && open mycert.pem
unable to load certificate
11732:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1c/crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

kindly help.

from hostscan-bypass.

Hi @Sputnik-001 !
Try doing the first part before ampersands first and see the pem-file appeared. By the way, what system are you running here?

from hostscan-bypass.

HI,

I'm stuck with the EOF issue. Here's a quick overview of what I've tried.

Applications I've tried:

• AnyConnect
• OpenConnect (macOS, Linux)
• Shimo (macOS)

OS's I've tried:

• macOS 10.15
• macOS 10.14
• Fedora 30
• Windows 10

Misc. things I've tried:

• with/out the config file
• with/out "-s"
• private ip, loopback ip
• Disabling the built in firewall and Little Snitch

In all these cases I can successfully connect and login (so something is going through). Even on unsupported machines/OS's, which is odd considering the whole posture assessment thing. It's definitely running trojans scripts. Either way the EOF issue always appears. Even on Windows.

In addition I've tried inspecting requests with Charles and Proxyman but either no data is captured or the SSL request is unreadable... Maybe it's just really locked down.

Without the "-s" I get quite a bit of data printed and then:

EOF
read tcp 10.0.1.22:53769->192.28.0.58:443: use of closed network connection

With the "-s" it pretty much fails much quicker and with no "read tcp" error.

If there's any other information I need to provide please let me know. After trying so many things I'm not sure where to go from here.

Some good news, maybe. I can view https://<VPN URL>/CACHE/sdesktop/data.xml, but not entirely sure what to do with it to build my own request. I know that's outside the scope of this project (literally mentioned at the end of the blog post) but thought any context is good context.

Thanks.

from hostscan-bypass.

Hi @Joshuaks !
It should definitely work at necrosoft_widows_10. Even without config.json. Looks like something has changed.
@Gilks, could #6 be the reason? Should we advice @Joshuaks try older go runtimes?
At the moment I can't check my old successful setup, because I've left that company recently and using OpenVPN via KDE-netmanager applet at my new workplace.

from hostscan-bypass.

Ok @Joshuaks . I've asked to build that hostscan-bypass binary and send it to me. It has been built with go version go1.10.2 linux/amd64. Though I just did go run before, this machine has never been updated. So I hope I've built the old version. Here you can get it: https://gofile.io/?c=bt2lwa MD5 fe7fd5788a7c06168c5439a88d7e6f9f
Please try.

from hostscan-bypass.

@megastallman It could be similar to #6 in that this sounds suspiciously like a TLS issue. I don't think using older go binaries will work here unless golang deprecated the needed ciphers (in that case it would work).

@Joshuaks The -s command is telling the hostscan-bypass to use TLS. If the connection is not completing a TLS handshake, it would explain why the connection is being dropped. Can you provide me with two pieces of information?

1. Use this nmap command and scan your VPN endpoint. Post up the results
   nmap --script ssl-enum-ciphers <endpoint> -p 443

2. Can you provide the hostscan-bypass one liner you're using to start the go file?

from hostscan-bypass.

@Gilks I am honestly surprised at all the help so far! I really appreciate it.

└─ nmap --script ssl-enum-ciphers $SECRET_COMPANY -p 443
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-04 08:23 EST
Nmap scan report for $SECRET_COMPANY (192.28.0.58)
Host is up (0.094s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 22.13 seconds

2. sudo go run hostscan-bypass.go -c config.json -l 127.0.0.1 -p 443 -r $SECRET_COMPANY:443 -s

@megastallman Thanks for the binary. I'll definitely give it a try and report back.

from hostscan-bypass.

Yeah, the old go binary isn't going to help much here. There's no way it's a cipher support issue (as seen in #6).

Couple more questions about your hostscan-bypass one liner:

1. I see you're using 127.0.0.1 for the -l argument. Are you attempting to use AnyConnect on the same machine that is running hostscan-bypass.go?

2. For the -r parameter, are you prepending http:// or https:// to $SECRET_COMPANY:443?

from hostscan-bypass.

@Gilks

1. Yes. Same machines. I've also tried using the private IP of the same machine (ie. 10.0.1.28).

2. I've tried $SECRET_DOMAIN:443, https://$SECRET_DOMAIN:443 (doesn't work) and https://$SECRET_DOMAIN (doesn't work either). Specifying the port only seems to get me the most success.

from hostscan-bypass.

Try using two separate machines. One machine running the hostscan-bypass and a victim machine (Windows) running AnyConnect. I know it shouldn't matter but something is happening with the TLS handshake.. It's kind of hard to troubleshoot issues like this because I don't have a way to reproduce the problem.

Use this one liner:
sudo go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r $SECRET_COMPANY:443 -s

from hostscan-bypass.

I'm not sure when I'll get to it (the machine it pretty locked down) but that'll be my next step. Will keep you updated.

from hostscan-bypass.

So far I've been unsuccessful in getting it to work. AnyConnect prompts for an invalid certificate, click "Connect Anyway", login dialog shows up.

On the hostscan-bypass side there's some activity and it ends with this:

EOF
read tcp 192.168.1.13:44512->68.115.198.2:443: use of closed network connection

I know the manual says not to login, so I wait. Nothing else happens, no further output and no CSD file created.

I've tried with -c config.json as well, and if no -s is used AnyConnect establishes connection and passes the validation. Yet still no CSD file to be found.

Can anyone point me in the right direction?

from hostscan-bypass.

I'm going to lock this issue to preserve the troubleshooting that's taken place so far. To everyone in the future- please open a new issue if you have additional questions.

@miminno when you open an issue please be sure to include the distro you're trying to MITM and all of the output that you get up until the EOF you mentioned.

from hostscan-bypass.

It was a poor decision to lock discussions on this thread. I've reopened it to allow continued troubleshooting for any OS X related issues.

@cjbirk @megastallman - are either of you able to help this user? You can post your replies here.

from hostscan-bypass.

@Gilks you seemed to have closed the issue again?

from hostscan-bypass.

Originally I meant to unlock the conversation not re-open the issue. Sorry about that.

from hostscan-bypass.

@ncortines interesting! could you please be a bit more specific? Are you saying you don't need this hostscan bypass tool at all with ngrok? What does stand for?

from hostscan-bypass.

I had success with the config.json file, but only after removing the [ ] array wrapping:

{
    "TLS":{
            "Country": "US",
            "Org": "whatever",
            "CommonName":"10.0.0.1"
    },
    "Certfile":""
}

I noticed if I navigated to the hostscan-bypass webserver with Firefox, the certificate looked more normal after this as well, with the CN showing up, etc.

from hostscan-bypass.