Unable to obtain CSD file

[miminno]

Bypass command:

go run hostscan-bypass.go -l 192.168.1.13 -p 443 -r sslvpn.mycompany.com:443 -s

AnyConnect warns about an invalid certificate, click "Connect Anyway", login dialog appears on the screen.

Bypass output:

[*] Listening for AnyConnect client connection..
[*] Accepted from: 192.168.1.146:49967
[*][0] Connected to server: 68.115.198.2:443
EOF
read tcp 192.168.1.13:47456->68.115.198.2:443: use of closed network connection
[*] Accepted from: 192.168.1.146:49968
[*][1] Connected to server: 68.115.198.2:443
From Client [1]:
00000000  50 4f 53 54 20 2f 20 48  54 54 50 2f 31 2e 31 0d  |POST / HTTP/1.1.|
00000010  0a 43 61 63 68 65 2d 43  6f 6e 74 72 6f 6c 3a 20  |.Cache-Control: |
00000020  6e 6f 2d 63 61 63 68 65  0d 0a 43 6f 6e 6e 65 63  |no-cache..Connec|
00000030  74 69 6f 6e 3a 20 63 6c  6f 73 65 0d 0a 50 72 61  |tion: close..Pra|
00000040  67 6d 61 3a 20 6e 6f 2d  63 61 63 68 65 0d 0a 55  |gma: no-cache..U|
00000050  73 65 72 2d 41 67 65 6e  74 3a 20 41 6e 79 43 6f  |ser-Agent: AnyCo|
00000060  6e 6e 65 63 74 20 57 69  6e 64 6f 77 73 20 34 2e  |nnect Windows 4.|
00000070  38 2e 30 31 30 39 30 0d  0a 58 2d 54 72 61 6e 73  |8.01090..X-Trans|
00000080  63 65 6e 64 2d 56 65 72  73 69 6f 6e 3a 20 31 0d  |cend-Version: 1.|
00000090  0a 58 2d 41 6e 79 43 6f  6e 6e 65 63 74 2d 53 54  |.X-AnyConnect-ST|
000000a0  52 41 50 2d 50 75 62 6b  65 79 3a 20 4d 46 6b 77  |RAP-Pubkey: MFkw|
000000b0  45 77 59 48 4b 6f 5a 49  7a 6a 30 43 41 51 59 49  |EwYHKoZIzj0CAQYI|
000000c0  4b 6f 5a 49 7a 6a 30 44  41 51 63 44 51 67 41 45  |KoZIzj0DAQcDQgAE|
000000d0  71 72 41 6a 58 4e 42 65  39 52 58 6e 4b 78 75 45  |qrAjXNBe9RXnKxuE|
000000e0  4a 36 48 61 2f 46 53 52  64 6b 77 47 43 39 4e 42  |J6Ha/FSRdkwGC9NB|
000000f0  49 38 2f 61 64 6e 2b 4a  54 4e 38 59 62 52 36 5a  |I8/adn+JTN8YbR6Z|
00000100  31 47 57 65 55 39 4b 4d  7a 45 72 71 53 6b 2b 39  |1GWeU9KMzErqSk+9|
00000110  55 4f 32 4b 6f 62 6b 6c  59 64 43 30 39 53 61 71  |UO2KobklYdC09Saq|
00000120  43 2b 53 2b 43 51 3d 3d  0d 0a 58 2d 41 67 67 72  |C+S+CQ==..X-Aggr|
00000130  65 67 61 74 65 2d 41 75  74 68 3a 20 31 0d 0a 43  |egate-Auth: 1..C|
00000140  6f 6e 74 65 6e 74 2d 4c  65 6e 67 74 68 3a 20 37  |ontent-Length: 7|
00000150  39 31 0d 0a 48 6f 73 74  3a 20 31 39 32 2e 31 36  |91..Host: 192.16|
00000160  38 2e 31 2e 31 33 0d 0a  0d 0a                    |8.1.13....|

From Client [1]:
00000000  3c 3f 78 6d 6c 20 76 65  72 73 69 6f 6e 3d 22 31  |<?xml version="1|
00000010  2e 30 22 20 65 6e 63 6f  64 69 6e 67 3d 22 55 54  |.0" encoding="UT|
00000020  46 2d 38 22 3f 3e 0a 3c  63 6f 6e 66 69 67 2d 61  |F-8"?>.<config-a|
00000030  75 74 68 20 63 6c 69 65  6e 74 3d 22 76 70 6e 22  |uth client="vpn"|
00000040  20 74 79 70 65 3d 22 69  6e 69 74 22 20 61 67 67  | type="init" agg|
00000050  72 65 67 61 74 65 2d 61  75 74 68 2d 76 65 72 73  |regate-auth-vers|
00000060  69 6f 6e 3d 22 32 22 3e  0a 3c 76 65 72 73 69 6f  |ion="2">.<versio|
00000070  6e 20 77 68 6f 3d 22 76  70 6e 22 3e 34 2e 38 2e  |n who="vpn">4.8.|
00000080  30 31 30 39 30 3c 2f 76  65 72 73 69 6f 6e 3e 0a  |01090</version>.|
00000090  3c 64 65 76 69 63 65 2d  69 64 20 63 6f 6d 70 75  |<device-id compu|
000000a0  74 65 72 2d 6e 61 6d 65  3d 22 41 52 43 48 2d 57  |ter-name="ARCH-W|
000000b0  49 4e 31 30 22 20 64 65  76 69 63 65 2d 74 79 70  |IN10" device-typ|
000000c0  65 3d 22 51 45 4d 55 20  53 74 61 6e 64 61 72 64  |e="QEMU Standard|
000000d0  20 50 43 20 28 51 33 35  20 2b 20 49 43 48 39 2c  | PC (Q35 + ICH9,|
000000e0  20 32 30 30 39 29 22 20  70 6c 61 74 66 6f 72 6d  | 2009)" platform|
000000f0  2d 76 65 72 73 69 6f 6e  3d 22 31 30 2e 30 2e 31  |-version="10.0.1|
00000100  38 33 36 32 20 22 20 75  6e 69 71 75 65 2d 69 64  |8362 " unique-id|
00000110  3d 22 35 46 33 37 30 45  45 43 39 39 43 42 39 44  |="5F370EEC99CB9D|
00000120  33 31 38 35 31 37 36 33  37 44 39 39 35 31 31 33  |318517637D995113|
00000130  45 45 36 42 30 33 35 31  33 36 43 42 43 46 30 45  |EE6B035136CBCF0E|
00000140  46 31 34 34 37 31 32 32  32 33 31 42 38 46 37 42  |F1447122231B8F7B|
00000150  41 33 22 20 75 6e 69 71  75 65 2d 69 64 2d 67 6c  |A3" unique-id-gl|
00000160  6f 62 61 6c 3d 22 45 42  42 44 32 44 37 45 32 38  |obal="EBBD2D7E28|
00000170  37 45 39 31 45 34 36 32  44 46 34 33 34 42 38 39  |7E91E462DF434B89|
00000180  41 42 43 32 32 35 35 42  37 31 35 32 43 43 22 3e  |ABC2255B7152CC">|
00000190  77 69 6e 3c 2f 64 65 76  69 63 65 2d 69 64 3e 0a  |win</device-id>.|
000001a0  3c 6d 61 63 2d 61 64 64  72 65 73 73 2d 6c 69 73  |<mac-address-lis|
000001b0  74 3e 0a 3c 6d 61 63 2d  61 64 64 72 65 73 73 20  |t>.<mac-address |
000001c0  70 75 62 6c 69 63 2d 69  6e 74 65 72 66 61 63 65  |public-interface|
000001d0  3d 22 74 72 75 65 22 3e  35 32 2d 35 34 2d 30 30  |="true">52-54-00|
000001e0  2d 34 62 2d 64 34 2d 30  36 3c 2f 6d 61 63 2d 61  |-4b-d4-06</mac-a|
000001f0  64 64 72 65 73 73 3e 3c  2f 6d 61 63 2d 61 64 64  |ddress></mac-add|
00000200  72 65 73 73 2d 6c 69 73  74 3e 0a 3c 67 72 6f 75  |ress-list>.<grou|
00000210  70 2d 73 65 6c 65 63 74  3e 49 6e 66 6f 72 6d 61  |p-select>IVPN1</group-|
00000230  73 65 6c 65 63 74 3e 0a  3c 67 72 6f 75 70 2d 61  |select>.<group-a|
00000240  63 63 65 73 73 3e 68 74  74 70 73 3a 2f 2f 31 39  |ccess>https://19|
00000250  32 2e 31 36 38 2e 31 2e  31 33 3c 2f 67 72 6f 75  |2.168.1.13</grou|
00000260  70 2d 61 63 63 65 73 73  3e 0a 3c 63 61 70 61 62  |p-access>.<capab|
00000270  69 6c 69 74 69 65 73 3e  0a 3c 61 75 74 68 2d 6d  |ilities>.<auth-m|
00000280  65 74 68 6f 64 3e 6d 75  6c 74 69 70 6c 65 2d 63  |ethod>multiple-c|
00000290  65 72 74 3c 2f 61 75 74  68 2d 6d 65 74 68 6f 64  |ert</auth-method|
000002a0  3e 0a 3c 61 75 74 68 2d  6d 65 74 68 6f 64 3e 73  |>.<auth-method>s|
000002b0  69 6e 67 6c 65 2d 73 69  67 6e 2d 6f 6e 3c 2f 61  |ingle-sign-on</a|
000002c0  75 74 68 2d 6d 65 74 68  6f 64 3e 0a 3c 61 75 74  |uth-method>.<aut|
000002d0  68 2d 6d 65 74 68 6f 64  3e 73 69 6e 67 6c 65 2d  |h-method>single-|
000002e0  73 69 67 6e 2d 6f 6e 2d  76 32 3c 2f 61 75 74 68  |sign-on-v2</auth|
000002f0  2d 6d 65 74 68 6f 64 3e  3c 2f 63 61 70 61 62 69  |-method></capabi|
00000300  6c 69 74 69 65 73 3e 0a  3c 2f 63 6f 6e 66 69 67  |lities>.</config|
00000310  2d 61 75 74 68 3e 0a                              |-auth>.|

EOF
read tcp 192.168.1.13:47458->68.115.198.2:443: use of closed network connection

No further output in the console and no CSD file created.

I run hostscan-bypass in the Ubuntu VM:

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

$ go version
go version go1.10.4 linux/amd64

Cisco AnyConnect version 4.8.01090

[Gilks]

Are you being prompted for credentials after that output?

EDIT: Just re-read the issue and saw you put that information at the top.

Are you sure your company is using hostscan? I don't see any indication that it's in use based off those details.

[miminno]

Is there any other scan?

What I've also noticed is that when I just connect with AnyConnect the scan is run after I put my credentials in. So it's a 3-step process: 1) Login and establish a connection 2) Run the scan 3) If success then grant the network access.

[Gilks]

Interesting. That does not appear to be hostscan, which explains why the bypass isn't working for you. That looks like a separate feature built into AnyConnect. I'm sure it's possible to spoof the results of the scan after you connect but I don't have an environment with that capability enabled for development.

If you're looking to try and do that I'd recommend authenticating using a TCP proxy and see what the traffic looks like after it connects. It might be something as simple as a POST request to the ASA with a successful result.

[miminno]

I tried that. The only way the authentication works via proxy is with the -c config.json and without the -s option. But then all the traffic is encrypted and unreadable :(

[Gilks]

In this particular case I can't be of much help. I'd need to have access to the machine to see if it's a control or proxy error.

I'm here if you end up going down the rabbit hole and want someone to bounce ideas off of though!