How to run it on Windows 10 PC?

[ycherkes]

go run hostscan-bypass.go -l 127.0.0.1 -p 8000 -r someserver.com:443 -s

I'm getting never-ending client's requests, see below - the same as from the docker container.

When I'm trying to run it in docker:

Dockerfile:

FROM golang:1.7.3 as builder

COPY . $GOPATH/src/github.com/gilks/hostscan-bypass/
WORKDIR $GOPATH/src/github.com/gilks/hostscan-bypass/

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/hostscan-bypass

FROM scratch
COPY --from=builder /go/bin/hostscan-bypass /go/bin/hostscan-bypass
ENTRYPOINT [ "/go/bin/hostscan-bypass" ]

Build command:

docker build . -t hostsscan

Run command:

docker run -it --rm -p 8000:8000 hostsscan -p 8000 -s -r someserver.com:443

I'm also getting never-ending client's requests: From Client [67]: 00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |<?xml version="1| 00000010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 |.0" encoding="UT| 00000020 46 2d 38 22 3f 3e 0a 3c 63 6f 6e 66 69 67 2d 61 |F-8"?>.<config-a| 00000030 75 74 68 20 63 6c 69 65 6e 74 3d 22 76 70 6e 22 |uth client="vpn"| 00000040 20 74 79 70 65 3d 22 69 6e 69 74 22 20 61 67 67 | type="init" agg| 00000050 72 65 67 61 74 65 2d 61 75 74 68 2d 76 65 72 73 |regate-auth-vers| 00000060 69 6f 6e 3d 22 32 22 3e 0a 3c 76 65 72 73 69 6f |ion="2">.<versio| 00000070 6e 20 77 68 6f 3d 22 76 70 6e 22 3e 34 2e 38 2e |n who="vpn">4.8.| 00000080 30 33 30 35 32 3c 2f 76 65 72 73 69 6f 6e 3e 0a |03052.| 00000090 3c 64 65 76 69 63 65 2d 69 64 20 63 6f 6d 70 75 |<device-id compu| .................................................................................................................................................................. 66 3c 2f 6d 61 63 2d 61 64 64 72 65 73 73 3e 3c |f<| 000001d0 2f 6d 61 63 2d 61 64 64 72 65 73 73 2d 6c 69 73 |/mac-address-lis| 000001e0 74 3e 0a 3c 67 72 6f 75 70 2d 73 65 6c 65 63 74 |t>.<group-select| 000001f0 3e 47 6c 6f 62 61 6c 3c 2f 67 72 6f 75 70 2d 73 |>Global</group-s| 00000200 65 6c 65 63 74 3e 0a 3c 67 72 6f 75 70 2d 61 63 |elect>.<group-ac| 00000210 63 65 73 73 3e 68 74 74 70 73 3a 2f 2f 31 32 37 |cess>https://127| 00000220 2e 30 2e 30 2e 31 3a 38 30 30 30 3c 2f 67 72 6f |.0.0.1:8000</gro| 00000230 75 70 2d 61 63 63 65 73 73 3e 0a 3c 63 61 70 61 |up-access>.<capa| 00000240 62 69 6c 69 74 69 65 73 3e 0a 3c 61 75 74 68 2d |bilities>.<auth-| 00000250 6d 65 74 68 6f 64 3e 6d 75 6c 74 69 70 6c 65 2d |method>multiple-| 00000260 63 65 72 74 3c 2f 61 75 74 68 2d 6d 65 74 68 6f |cert</auth-metho| 00000270 64 3e 0a 3c 61 75 74 68 2d 6d 65 74 68 6f 64 3e |d>.| 00000280 73 69 6e 67 6c 65 2d 73 69 67 6e 2d 6f 6e 3c 2f |single-sign-on</| 00000290 61 75 74 68 2d 6d 65 74 68 6f 64 3e 0a 3c 61 75 |auth-method>.<au| 000002a0 74 68 2d 6d 65 74 68 6f 64 3e 73 69 6e 67 6c 65 |th-method>single| 000002b0 2d 73 69 67 6e 2d 6f 6e 2d 76 32 3c 2f 61 75 74 |-sign-on-v2</aut| 000002c0 68 2d 6d 65 74 68 6f 64 3e 3c 2f 63 61 70 61 62 |h-method></capab| 000002d0 69 6c 69 74 69 65 73 3e 0a 3c 2f 63 6f 6e 66 69 |ilities>.</confi| 000002e0 67 2d 61 75 74 68 3e 0a |g-auth>.|

EOF read tcp 172.17.0.2:48368->x.x.x.x:443: use of closed network connection [] Accepted from: 172.17.0.1:46236 [][68] Connected to server: x.x.x.x:443 EOF read tcp 172.17.0.2:48374->x.x.x.x:443: use of closed network connection [] Accepted from: 172.17.0.1:46242 [][69] Connected to server: x.x.x.x:443 From Client [69]: .................

When I'm trying to run openconnect without --csd-wrapper=hostscan-bypass.cmd param I'm getting:

.\openconnect.exe --os=win someserver.com/group --token-mode=rsa --token-secret=@tokenFile.sdtid ..... Error: Server asked us to run CSD hostscan.

And https://someserver.com/CACHE/sdesktop/data.xml contains non-empty hostscan section.

[Gilks]

To be clear, you're saying that you are never getting the hostscan-bypass.sh file when trying to perform the MITM and it seems like the connection keeps retrying indefinitely?

Try browsing to your local host and see if you are properly hitting the ASA. You can browse to 127.0.0.1:8000 in your browser. You'll get a cert error and it will likely be quite slow. If everything is setup correctly you will see the ASA login page just as you would if you browse to someserver.com:443.

[ycherkes]

To be clear, you're saying that you are never getting the hostscan-bypass.sh file when trying to perform the MITM and it seems like the connection keeps retrying indefinitely?

Try browsing to your local host and see if you are properly hitting the ASA. You can browse to 127.0.0.1:8000 in your browser. You'll get a cert error and it will likely be quite slow. If everything is setup correctly you will see the ASA login page just as you would if you browse to someserver.com:443.

Yeah, I'm never getting the hostscan-bypass.sh file and the connection keeps retrying indefinitely.

I see this page when opening localhost:8000 in browser:

[Gilks]

That's odd. Is the repetitive output the use of closed network connection?

Also, I just tried reproducing this by connecting to <local IP>:8000 with AnyConnect and I can't make a successful connection to my MITM machine. Is there a reason you're listening on port 8000 instead of 443?

[ycherkes]

I replaced 443 with 8000 because faced the next error:

go run hostscan-bypass.go -l 127.0.0.1 -p 443 -r someserver.com:443 -s

panic: failed to connect: listen tcp 127.0.0.1:443: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

goroutine 1 [running]: main.startListener(0x1) c:/Plays/hostscan-bypass/hostscan-bypass.go:244 +0x988 main.main() c:/Plays/hostscan-bypass/hostscan-bypass.go:329 +0x446 exit status 2

Example of the repetitive output:

go run hostscan-bypass.go -l 127.0.0.1 -p 8000 -r someserver.com:443 -s

[] Listening for AnyConnect client connection.. [] Accepted from: 127.0.0.1:56333 [][0] Connected to server: x.x.x.x:443 EOF read tcp 192.168.0.89:56334->x.x.x.x:443: use of closed network connection [] Accepted from: 127.0.0.1:56335 [*][1] Connected to server: x.x.x.x:443 From Client [1]: 00000000 50 4f 53 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d |POST / HTTP/1.1.| 00000010 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 |.Cache-Control: | 00000020 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 6e 65 63 |no-cache..Connec| 00000030 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 50 72 61 |tion: close..Pra| 00000040 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 48 |gma: no-cache..H| 00000050 6f 73 74 3a 20 6c 6f 63 61 6c 68 6f 73 74 3a 38 |ost: localhost:8| 00000060 30 30 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a |000..User-Agent:| 00000070 20 41 6e 79 43 6f 6e 6e 65 63 74 20 57 69 6e 64 | AnyConnect Wind| 00000080 6f 77 73 20 34 2e 38 2e 30 33 30 35 32 0d 0a 58 |ows 4.8.03052..X| 00000090 2d 54 72 61 6e 73 63 65 6e 64 2d 56 65 72 73 69 |-Transcend-Versi| 000000a0 6f 6e 3a 20 31 0d 0a 58 2d 41 6e 79 43 6f 6e 6e |on: 1..X-AnyConn| 000000b0 65 63 74 2d 53 54 52 41 50 2d 50 75 62 6b 65 79 |ect-STRAP-Pubkey| ............................................................................. 00000140 58 2d 41 67 67 72 65 67 61 74 65 2d 41 75 74 68 |X-Aggregate-Auth| 00000150 3a 20 31 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e |: 1..Content-Len| 00000160 67 74 68 3a 20 37 34 34 0d 0a 0d 0a |gth: 744....|

From Client [1]: 00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |<?xml version="1| 00000010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 |.0" encoding="UT| 00000020 46 2d 38 22 3f 3e 0a 3c 63 6f 6e 66 69 67 2d 61 |F-8"?>.<config-a| 00000030 75 74 68 20 63 6c 69 65 6e 74 3d 22 76 70 6e 22 |uth client="vpn"| 00000040 20 74 79 70 65 3d 22 69 6e 69 74 22 20 61 67 67 | type="init" agg| 00000050 72 65 67 61 74 65 2d 61 75 74 68 2d 76 65 72 73 |regate-auth-vers| 00000060 69 6f 6e 3d 22 32 22 3e 0a 3c 76 65 72 73 69 6f |ion="2">.<versio| 00000070 6e 20 77 68 6f 3d 22 76 70 6e 22 3e 34 2e 38 2e |n who="vpn">4.8.| 00000080 30 33 30 35 32 3c 2f 76 65 72 73 69 6f 6e 3e 0a |03052.| 00000090 3c 64 65 76 69 63 65 2d 69 64 20 63 6f 6d 70 75 |<device-id compu| ............................................................................. 00000250 6d 65 74 68 6f 64 3e 6d 75 6c 74 69 70 6c 65 2d |method>multiple-| 00000260 63 65 72 74 3c 2f 61 75 74 68 2d 6d 65 74 68 6f |cert</auth-metho| 00000270 64 3e 0a 3c 61 75 74 68 2d 6d 65 74 68 6f 64 3e |d>.| 00000280 73 69 6e 67 6c 65 2d 73 69 67 6e 2d 6f 6e 3c 2f |single-sign-on</| 00000290 61 75 74 68 2d 6d 65 74 68 6f 64 3e 0a 3c 61 75 |auth-method>.<au| 000002a0 74 68 2d 6d 65 74 68 6f 64 3e 73 69 6e 67 6c 65 |th-method>single| 000002b0 2d 73 69 67 6e 2d 6f 6e 2d 76 32 3c 2f 61 75 74 |-sign-on-v2</aut| 000002c0 68 2d 6d 65 74 68 6f 64 3e 3c 2f 63 61 70 61 62 |h-method></capab| 000002d0 69 6c 69 74 69 65 73 3e 0a 3c 2f 63 6f 6e 66 69 |ilities>.</confi| 000002e0 67 2d 61 75 74 68 3e 0a |g-auth>.|

EOF read tcp 192.168.0.89:56336->x.x.x.x:443: use of closed network connection [] Accepted from: 127.0.0.1:56337 [][2] Connected to server: x.x.x.x:443 EOF read tcp 192.168.0.89:56338->x.x.x.x:443: use of closed network connection [] Accepted from: 127.0.0.1:56339 [][3] Connected to server: x.x.x.x:443 From Client [3]: Repeated the same content as From Client[1]

From Client [3]: Repeated the same content as From Client[1]

EOF read tcp 192.168.0.89:56340->x.x.x.x:443: use of closed network connection [] Accepted from: 127.0.0.1:56341 [][4] Connected to server: x.x.x.x:443 EOF read tcp 192.168.0.89:56342->x.x.x.x:443: use of closed network connection [] Accepted from: 127.0.0.1:56343 [][5] Connected to server: x.x.x.x:443 From Client [5]: etc...........................................................................

[Gilks]

Ah. Try running the command with sudo.

sudo go run hostscan-bypass.go -l 127.0.0.1 -p 443 -r someserver.com:443 -s

[ycherkes]

I just have a cmd window under Administrator mode.

And I don't know how to run sudo command in Windows.

Is there any way to do that?

[Gilks]

Is something else currently listening on port 443? An admin command prompt should be sufficient.

Worst case, I'd recommend using a VM.

[ycherkes]

net stop http helped free 443 port

But nothing changed - the same repetitive behavior.

[Gilks]

I can't really be much of a help here. I cannot reproduce the issue.