search

Gilks / hostscan-bypass

Generate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements
248 stars 46 forks source link

Possible protocol change #3

Closed megastallman closed 5 years ago

megastallman commented 5 years ago

Hi @Gilks

Unfortunately I couldn't succeed with that script. Looks like something has changed in recent versions. Do you have any ideas?

  go run hostscan-bypass.go -l 10.10.0.2 -p 443 -r  vpn-QQQQQQ.com:443 -s

  [*] Listening for AnyConnect client connection..
  [*] Accepted from: QQQQQ:49653
  [*][0] Connected to server: QQQQQ:443
  [*] Accepted from: QQQQQ:49758
  [*][1] Connected to server: QQQQQ:443
  read tcp 10.10.0.2:35710->QQQQQ:443: read: connection reset by peer
  read tcp 10.10.0.2:35716->QQQQQ:443: read: connection reset by peer
Gilks commented 5 years ago

Hey @megastallman! I appreciate you taking the time to try out the bypass! As a sanity check, I have just verified the bypass is still working.

It looks like a connection between your MITM machine and vpn-QQQQQQ.com:443 is not being made successfully. Are you able to verify that you can browse to vpn-QQQQQQ.com:443 manually?

megastallman commented 5 years ago

Hi @Gilks !

I've tried to connect to https://vpn-QQQQQQ.com which is actually our gateway. It normally redirects to /CACHE/sdesktop/install/start.htm That looks normal.

megastallman commented 5 years ago

I've also run like this: go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r vpn-QQQQQ:443 -s Is it a valid option for VMs with sticky external IPs?

But the result is still the same. The browser can access the cisco gateway directly but cannot access via MITM-host. The official cisco anydisconnect just falls back to backup gateways.

If I add the /etc/hosts entry forcing it connect directly to my MITM host it says: "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

Gilks commented 5 years ago

Excellent! I think I understand your issue a bit better now. Take a look at this blog post. It provides a tutorial on how the tool works and how to configure the AnyConnect client to connect to the MITM machine.

You are on the right track making the Windows AnyConnect client connect directly to your MITM machine. The error message AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. means the AnyConnect client needs to be configured to connect to untrusted servers.

Imagine this scenario- You want to intercept the Windows AnyConnect clients connection from your linux machine. Here's some fictitious IPs: Windows AnyConnect Client (10.0.0.2) --> Linux MITM Machine (10.0.0.10) --> VPN URL (vpn-QQQQQQ.com)

On your Linux host, this would be your one liner: go run hostscan-bypass.go -l 10.0.0.10 -p 443 -r vpn-QQQQQQ.com:443 -s

On your Windows AnyConnect Client(10.0.0.2) you would connect to 10.0.0.10 instead of vpn-QQQQQQ.com. As long as you have "Block connection to untrusted servers" unchecked in the client, you will make the connection successfully.

Does this explanation help?

megastallman commented 5 years ago

Hi @Gilks !

Thanks! My problem was that I've used a GKE VM with a sticky IP address. Now I've got to think of a way to get data from the "right" target computer, but it is already my problem.

megastallman commented 5 years ago

This is the most universal scenario for me, that works everywhere. Both on physical machines or cloud VM with floating IP: go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r vpn-QQQQQQ.com:443 -s Just listen on all interfaces.