Closed megastallman closed 4 years ago
Full disclosure, I never tested this using a Linux or OS X client. When I built the tool I used a Windows client. I do not have the development environment available to test Linux and OS X clients. However, I'm interested in seeing if we can make this work. This may require a bit of troubleshooting on your part- please let me know if you manage to get it working!
Take a look around the Linux/OS X AnyConnect client and try to find a setting like Block connections to untrusted servers
as seen here on the Windows client. The error sounds like it's a certificate issue. The AnyConnect client does not trust your MITM machine.
Hi @Gilks
It looks strange that you don't have a Linux dev environment. You can google the anyconnect-linux64-4.6.03049-predeploy-k9.tar.gz
file that I've tried and didn't succeed.
The sniff has succeeded on anyconnect-win-4.6.03049-core-vpn-predeploy-k9.msi
As of the Block connections to untrusted servers
checkbox - I double check it every time and agree to proceed with an untrusted server.
I appreciate your awareness. It sounds like there may be a misunderstanding around what is required to develop this project. Allow me to explain.
The Linux development environment is not limited to the distribution and AnyConnect binary. In addition to the aforementioned requirements, the developer also requires a valid Cisco VPN that publishes the hostscan binaries for Linux.
I do not have a valid VPN that publishes Linux hostscan binaries. Therefore I do not have the resources to support this request. When I have the opportunity (and authorization) to utilize a companies VPN page for the continued development of this project, I will happily do so.
Thanks again for taking the time to use the bypass!
Oh, I understand that!
Your vpn is much more locked down than ours. Ours does not allow downloading the installer from a web page, barely from the times I joined that company, but still updates it and provides the trojans. Some years ago I've been unpacking the ASA image at my study courses and saw it containing Linux, macos and necrosoft window versions of installers and trojans, respectively. That company just breaks networking, locking down all ports I use, so I'm currently using sshuttle to make double VPN. Just to do my work. So it would be really great to do what this script does...
I'm curious- is there a reason you need to intercept Linux/OS X? If you are able to intercept the Windows AnyConnect client connection, you can connect to the network with Linux/OS X using OpenConnect.
It looks like this: DAP-policies require some kind of strange shitware installed, something like particular versions of particular [anti]viruses and such. Another, most of ports are blocked, so now I'm using sshuttle to a jumphost just to do my work. That window-sniff test I did - is run from a necrosoft IE testing Virtualbox template. It does not get all required values, just the keys. I know no-one on a window corporate laptop to ask to connect to my sniffer host, but there are some corporate macos users, that definitely can. I've also tried to sniff myself on my kubuntu machine and got the same problems that macos users have, so I concluded, if I can sniff on linux, then I'd try doing that with macos again.... There is also a way to ask for a corporate window laptop, but this idea makes me sick and tired of this game. Of course they can fire me, but I don't care that much about that.
One more disclosure... About 3 years ago I've been working for a company, called Cisco Systems. After I couldn't connect with Cisco Anydisconnect, they've issued me a nice Vpnc config, so that I've been really happy. But now I'm working for another company that really makes use of these Cisco tools to build some kind of Soviet-style walled garden.
Ah, that makes sense. You worked for Cisco Systems? What a small world! Without access to OS X there isn't much I can do to help. I've only got two ideas:
Try uninstalling and reinstalling the OS X AnyConnect client. Perhaps a local config file is driving the software and ignoring your attempts to allow connections to untrusted VPN servers. I strongly believe that once you get the AnyConnect client to connect to your MITM machine that you will successfully generate a CSD file.
When developing this script, I found an OS X OpenConnect CSD file that reports back that ClamAV is installed. Perhaps you might get lucky and it will work. Here is the gist. If this works you should successfully connect to the network with your Linux host.
Yeah, some years ago I've been involved into ESA/WSA and Cisco-cloud. I'll try to as our macos users to reinstall the anydisconnect client, but I don't think that is possible. As for Linux machines - I've tried both on my Kubuntu laptop and on the Kubuntu LiveUSB image. The first one can have some residual configs, but the LiveUSB is always clean. And got the same issue.
Good news! I found a way to get my hands on an OS X machine temporarily. I was able to reproduce the exact scenario you were describing where the error message AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. Connection attempt has failed.
occurred even when the Block connections to untrusted servers
was unchecked.
I found that removing the TLS Proxy command line argument -s
allowed OS X to make a connection to the MITM machine successfully. You must also ensure the Block connections to untrusted servers
is still unchecked. The full syntax is as follows:
sudo go run hostscan-bypass.go -l <Local IP> -p 443 -r YOUR_VPN.com:443
Let me know how this works!
Hey @megastallman. Did you get a chance to check this out?
Not yet. Hope to try this week.
Closing issue due to inactivity.
Hi @Gilks ! Sorry for a long reply. So I've found a mac to try.
When I omit the '-s' option, I get the following result: `From Client [0]: 00000000 16 03 01 00 a2 01 00 00 9e 03 03 31 4c b8 77 6e |...........1L.wn| 00000010 17 aa e5 a5 0f eb d7 35 16 22 3f 66 7d b2 fe 8d |.......5."?f}...| 00000020 58 d0 c9 f5 f9 45 04 05 f4 76 ec 00 00 2c c0 2c |X....E...v...,.,| 00000030 c0 30 00 9f 00 9d c0 24 c0 28 00 6b 00 3d c0 2b |.0.....$.(.k.=.+| 00000040 c0 2f 00 9e 00 9c c0 23 c0 27 00 67 00 3c 00 39 |./.....#.'.g.<.9| 00000050 00 35 00 33 00 2f 00 0a 00 ff 01 00 00 49 00 0b |.5.3./.......I..| 00000060 00 04 03 00 01 02 00 0a 00 0a 00 08 00 19 00 18 |................| 00000070 00 17 00 13 00 0d 00 20 00 1e 06 01 06 02 06 03 |....... ........| 00000080 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 |................| 00000090 03 03 02 01 02 02 02 03 00 10 00 0b 00 09 08 68 |...............h| 000000a0 74 74 70 2f 31 2e 31 |ttp/1.1|
From Client [0]: 00000000 16 03 03 01 06 10 00 01 02 01 00 0d d7 df c5 4c |...............L| 00000010 91 89 e1 ba 22 c5 17 b1 3d 44 31 1a dc ea 96 42 |...."...=D1....B| 00000020 e3 47 41 d3 06 4a 48 fc 7b 8a cb bc 44 47 6c 93 |.GA..JH.{...DGl.| 00000030 79 5d 5c 1d 37 d7 30 5d f6 27 02 29 15 11 46 11 |y].7.0].'.)..F.| 00000040 19 eb d4 74 a1 28 de e0 be f1 6f c4 c2 73 6b 43 |...t.(....o..skC| 00000050 f6 75 d4 42 0c 2a e1 c7 5c 88 90 41 2d f3 ff 3d |.u.B.....A-..=| 00000060 a8 b1 ea 1c 1c b3 28 4f 33 49 cd f8 a8 39 2a 38 |......(O3I...98| 00000070 97 b3 18 a5 75 2d d6 cc 2d 06 4b f6 03 e2 f0 c6 |....u-..-.K.....| 00000080 92 dc 97 79 05 cc 74 86 20 83 9e 8c 1e ee 94 8d |...y..t. .......| 00000090 91 12 90 af 54 16 4d 46 81 35 c3 b6 80 de 10 11 |....T.MF.5......| 000000a0 d6 a0 d1 d2 e4 b1 69 e3 92 6b 5d da 3b e6 79 9e |......i..k].;.y.| 000000b0 73 1e 5a 94 5b 20 46 44 c1 ba bc 95 5e e4 93 0d |s.Z.[ FD....^...| 000000c0 6e f3 24 c0 49 f3 3f c2 23 78 cd 79 50 9e 28 73 |n.$.I.?.#x.yP.(s| 000000d0 e3 e7 29 18 51 87 02 1d 06 3d 61 18 3e e0 69 23 |..).Q....=a.>.i#| 000000e0 82 d3 cf 47 47 46 c8 a3 1e a5 9a 3e 43 0d a9 70 |...GGF.....>C..p| 000000f0 b8 02 87 1f a0 9b 80 bf b7 14 e1 77 a5 e2 92 6f |...........w...o| 00000100 76 22 8b 34 5f a6 fe 0b 6f 43 aa 14 03 03 00 01 |v".4_...oC......| 00000110 01 16 03 03 00 40 06 ba 93 98 fc df 32 1d 70 7d |.....@......2.p}| 00000120 58 90 35 9e 90 23 88 5b 4f f2 b4 b5 82 74 a0 7a |X.5..#.[O....t.z| 00000130 e5 82 c9 0e 46 72 fd 4b 99 10 05 6d d2 5e d5 3e |....Fr.K...m.^.>| 00000140 ae d6 a3 7c 62 57 73 e7 50 eb ce d0 9d 8d b5 9c |...|bWs.P.......| 00000150 09 db 4d 3d 6f 9f |..M=o.|`
And it couldn't get the proper end of the stream, printing EOF read tcp 10.10.0.2:55462-><IP>:443: use of closed network connection [*] Accepted from: <CLIENT-IP>:52733 [*][4] Connected to server: <IP>:443 From Client [4]:
So the try is basically unsuccessful.
Thanks in advance!
I think we can reopen the issue.
I apologize but I cannot be of anymore help. I would need the actual machine producing that output to troubleshoot this any further. I have no way of reproducing the bug. I'm out of ideas unfortunately.
If you troubleshoot the issue and have any questions you think I can answer I will happily help.
Hi there @megastallman. I think I have a solution for you.
Create a file in the repository called 'config.json'
Populate it with the following (to suit your needs - i set the common name to the hostname of the internal IP i was using):
{
"TLS":{
"Country":["US"],
"Org":["megastallman"],
"CommonName":"10.10.10.20"
},
"Certfile":""
}
Then, run the hostscan-bypass.go program as such:
sudo go run hostscan-bypass.go -c config.json -l 10.10.10.20 -p 443 -r remote-vpn.example.com:443 -s
Now, I added the certificate to my mac's keychain by fetching it with openssl and then saving it to a file. Then I opened it. However, I'm not sure this really matters because AnyConnect still complains that the cert is invalid:
openssl s_client -showcerts -connect 10.10.10.20:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem && open mycert.pem
Once your keychain opens up, make sure you modify the ca/cert to be trusted.
Ensure that the checkbox in your AnyConnect preferences is still set to not block invalid certs, type in the IP or hostname of your internal host and hit connect. Voila
You should now have a successfully saved hostscan-bypass.sh in your folder!
Thanks @cjbirk !
It works on Linux, and in a couple of days I will ask mac users to sniff the 'corporate' reply. I hope to overcome those company's network restrictions, that currently I'm cheating around with sshuttle over openconnect.
That's awesome to hear. I'm glad it worked for you
I can't get this to work on Linux or mac @cjbirk. I just get the same EOF issue no matter what.
Did you try the solution posted by @cjbirk ?
Yeah, I tagged the wrong user :man_facepalming:
Hi @m0ngr31 ! As you may know, I've succeeded with the sniffing. Now I'm sending a macos reply from my Kubuntu laptop, which is not that corporate. So, what works and doesn't:
There could be more options, but I've got satisfied with a Macos Shimo reply.
So, @m0ngr31 , what is your situation? Maybe we can work it around somehow? Maybe you can just try Openconnect or Shimo on a corp laptop?
I have a corporate Macbook with my personal linux box I'm trying to use to do the MITM. I think I got it working with some csd-wrapper scripts last night though.
Hello guys, Thank you so much for your brilliant research, i am stuck at level two:-
Administrator@Star-pc MINGW64 /c/projects/go/src/github.com/gilks/hostscan-bypass (master) $ sudo go run hostscan-bypass.go -l 10.10.10.8 -p 443 -r remote-vpn.example.com :443 -s [] Listening for AnyConnect client connection.. [] Accepted from: 10.10.10.8:49820
This is what i am getting when i use AnyConnect and connect to 10.10.10.8 "connection attempt has timed out. please verify internet connectivity"
Thanks for making use of the bypass! It sounds like a connection to remote-vpn.example.com is failing. Make sure the machine you are running the hostscan-bypass.go on is able to reach remote-vpn.example.com.
If you can reach it in a web browser, try prepending https:// to your vpn url (-r argument).
Hello @megastallman ,
I am stuck at last phase, below is the error message:-
$ openssl s_client -showcerts -connect 10.10.10.8 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem && open mycert.pem unable to load certificate 11732:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1c/crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
kindly help.
Hi @Sputnik-001 ! Try doing the first part before ampersands first and see the pem-file appeared. By the way, what system are you running here?
Hi there @megastallman. I think I have a solution for you.
Create a file in the repository called 'config.json'
Populate it with the following (to suit your needs - i set the common name to the hostname of the internal IP i was using):
{ "TLS":{ "Country":["US"], "Org":["megastallman"], "CommonName":"10.10.10.20" }, "Certfile":"" }
Then, run the hostscan-bypass.go program as such:
sudo go run hostscan-bypass.go -c config.json -l 10.10.10.20 -p 443 -r remote-vpn.example.com:443 -s
Now, I added the certificate to my mac's keychain by fetching it with openssl and then saving it to a file. Then I opened it. However, I'm not sure this really matters because AnyConnect still complains that the cert is invalid:
openssl s_client -showcerts -connect 10.10.10.20:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem && open mycert.pem
Once your keychain opens up, make sure you modify the ca/cert to be trusted.
Ensure that the checkbox in your AnyConnect preferences is still set to not block invalid certs, type in the IP or hostname of your internal host and hit connect. Voila
You should now have a successfully saved hostscan-bypass.sh in your folder!
Thanks so much! I had a working connection and it stopped working. This worked perfectly! Arch Linux for anyone else looking and comes across this.
HI,
I'm stuck with the EOF issue. Here's a quick overview of what I've tried.
Applications I've tried:
OS's I've tried:
Misc. things I've tried:
In all these cases I can successfully connect and login (so something is going through). Even on unsupported machines/OS's, which is odd considering the whole posture assessment thing. It's definitely running trojans scripts. Either way the EOF issue always appears. Even on Windows.
In addition I've tried inspecting requests with Charles and Proxyman but either no data is captured or the SSL request is unreadable... Maybe it's just really locked down.
Without the "-s" I get quite a bit of data printed and then:
EOF
read tcp 10.0.1.22:53769->192.28.0.58:443: use of closed network connection
With the "-s" it pretty much fails much quicker and with no "read tcp" error.
If there's any other information I need to provide please let me know. After trying so many things I'm not sure where to go from here.
Some good news, maybe. I can view https://<VPN URL>/CACHE/sdesktop/data.xml
, but not entirely sure what to do with it to build my own request. I know that's outside the scope of this project (literally mentioned at the end of the blog post) but thought any context is good context.
Thanks.
Hi @joshuaks ! It should definitely work at necrosoft_widows_10. Even without config.json. Looks like something has changed. @Gilks, could https://github.com/Gilks/hostscan-bypass/issues/6 be the reason? Should we advice @joshuaks try older go runtimes? At the moment I can't check my old successful setup, because I've left that company recently and using OpenVPN via KDE-netmanager applet at my new workplace.
Ok @joshuaks . I've asked to build that hostscan-bypass binary and send it to me. It has been built with go version go1.10.2 linux/amd64
. Though I just did go run before, this machine has never been updated. So I hope I've built the old version. Here you can get it: https://gofile.io/?c=bt2lwa
MD5 fe7fd5788a7c06168c5439a88d7e6f9f
Please try.
@megastallman It could be similar to #6 in that this sounds suspiciously like a TLS issue. I don't think using older go binaries will work here unless golang deprecated the needed ciphers (in that case it would work).
@joshuaks The -s
command is telling the hostscan-bypass to use TLS. If the connection is not completing a TLS handshake, it would explain why the connection is being dropped. Can you provide me with two pieces of information?
Use this nmap command and scan your VPN endpoint. Post up the results
nmap --script ssl-enum-ciphers <endpoint> -p 443
Can you provide the hostscan-bypass one liner you're using to start the go file?
@Gilks I am honestly surprised at all the help so far! I really appreciate it.
└─ nmap --script ssl-enum-ciphers $SECRET_COMPANY -p 443
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-04 08:23 EST
Nmap scan report for $SECRET_COMPANY (192.28.0.58)
Host is up (0.094s latency).
PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_CBCSHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | least strength: A
Nmap done: 1 IP address (1 host up) scanned in 22.13 seconds
2. `sudo go run hostscan-bypass.go -c config.json -l 127.0.0.1 -p 443 -r $SECRET_COMPANY:443 -s`
@megastallman Thanks for the binary. I'll definitely give it a try and report back.
Yeah, the old go binary isn't going to help much here. There's no way it's a cipher support issue (as seen in #6).
Couple more questions about your hostscan-bypass one liner:
I see you're using 127.0.0.1
for the -l
argument. Are you attempting to use AnyConnect on the same machine that is running hostscan-bypass.go
?
For the -r
parameter, are you prepending http://
or https://
to $SECRET_COMPANY:443
?
@Gilks
Yes. Same machines. I've also tried using the private IP of the same machine (ie. 10.0.1.28
).
I've tried $SECRET_DOMAIN:443
, https://$SECRET_DOMAIN:443
(doesn't work) and https://$SECRET_DOMAIN
(doesn't work either). Specifying the port only seems to get me the most success.
Try using two separate machines. One machine running the hostscan-bypass and a victim machine (Windows) running AnyConnect. I know it shouldn't matter but something is happening with the TLS handshake.. It's kind of hard to troubleshoot issues like this because I don't have a way to reproduce the problem.
Use this one liner:
sudo go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r $SECRET_COMPANY:443 -s
I'm not sure when I'll get to it (the machine it pretty locked down) but that'll be my next step. Will keep you updated.
So far I've been unsuccessful in getting it to work. AnyConnect prompts for an invalid certificate, click "Connect Anyway", login dialog shows up.
On the hostscan-bypass side there's some activity and it ends with this:
EOF
read tcp 192.168.1.13:44512->68.115.198.2:443: use of closed network connection
I know the manual says not to login, so I wait. Nothing else happens, no further output and no CSD file created.
I've tried with -c config.json as well, and if no -s is used AnyConnect establishes connection and passes the validation. Yet still no CSD file to be found.
Can anyone point me in the right direction?
I'm going to lock this issue to preserve the troubleshooting that's taken place so far. To everyone in the future- please open a new issue if you have additional questions.
@miminno when you open an issue please be sure to include the distro you're trying to MITM and all of the output that you get up until the EOF
you mentioned.
It was a poor decision to lock discussions on this thread. I've reopened it to allow continued troubleshooting for any OS X related issues.
@cjbirk @megastallman - are either of you able to help this user? You can post your replies here.
@Gilks you seemed to have closed the issue again?
Originally I meant to unlock the conversation not re-open the issue. Sorry about that.
Hi,
Thanks for this tool.
I found an alternative which is pretty straightforward (does not require to change AnyConnect preferences or trust invalid certificates)
Install ngrok
and run ngrok http https://<YOUR IP>
Then use AnyConnect to connect to the https url generated by ngrok
.
Juan
@ncortines interesting! could you please be a bit more specific? Are you saying you don't need this hostscan bypass tool at all with ngrok? What does
@desilinguist this tool is great and needed! ngrok
helps executing it on a macOS environment. The reason is that Cisco AnyConnect VPN Client will refuse to connect to <MY IP>
, but will be happy to connect to the one generated by ngrok
, which is public domain with a valid SSL certificate (ngrok
tunnels traffic to <MY IP>
)
Ah, got it now! Thanks!
I had success with the config.json file, but only after removing the [ ] array wrapping:
{
"TLS":{
"Country": "US",
"Org": "whatever",
"CommonName":"10.0.0.1"
},
"Certfile":""
}
I noticed if I navigated to the hostscan-bypass webserver with Firefox, the certificate looked more normal after this as well, with the CN showing up, etc.
Hi @Gilks !
I've been able to sniff a window machine with hotscan-bypass, but when I do the same with the Linux client I get the "Limited Access DNS Failure" line with the banner saying
AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. Connection attempt has failed.
The macos user say they get the same.The bypass script says:
[*] Listening for AnyConnect client connection.. [*] Accepted from: 87.228.186.66:58944 [*][0] Connected to server: 198.49.180.205:443 read tcp 10.10.0.2:33620->198.49.180.205:443: read: connection reset by peer
Thanks!