search

SpikefishSolutions / PanTools

5 stars 0 forks source link

Having issues with 10.1 #1

Open erickfcc opened 1 year ago

erickfcc commented 1 year ago

erickmel@ubuntu-box:~$ ./pan-captive-portal-auth.sh Enter Palo Alto Captive Portal URL: https://192.168.2.1:6082/php/uid.php?vsys=1&rule=1 Enter Username: erickmel Enter password: Authentication Failed or curl not installed

I have an MFA profile attached and I do get the push notification, however I get this error before I can even approve the push.

spikefishjohn commented 1 year ago

Howdy! Sorry i didn't see this until now.

I'm not sure if this will work with with 2FA.

try running it like this and I'll see if there is anything I can do. You may need to scrub the output just in case for user/password.

bash -x pan-captive-portal-auth.sh
erickfcc commented 1 year ago

No worries John, thanks for your help, here is the output I am getting

@.***:~$ bash -x pan-captive-portal-auth.sh ++ mktemp

On Tue, Aug 8, 2023 at 12:36 PM John Fleming @.***> wrote:

Howdy! Sorry i didn't see this until now.

I'm not sure if this will work with with 2FA.

try running it like this and I'll see if there is anything I can do. You may need to scrub the output just in case for user/password.

bash -x pan-captive-portal-auth.sh

— Reply to this email directly, view it on GitHub https://github.com/SpikefishSolutions/PanTools/issues/1#issuecomment-1670034210, or unsubscribe https://github.com/notifications/unsubscribe-auth/AETKPJAG2T46UL44UT2ITU3XUJ2K3ANCNFSM6AAAAAA3AFSCK4 . You are receiving this because you authored the thread.Message ID: @.***>

spikefishjohn commented 1 year ago

Well that wasn't helpful.

Ok edit the script and remove the | and everything else beyond the curl command.

curl -s "$pancaptiveportlurl" \
        --data-urlencode 'inputStr=' \
        --data-urlencode 'escapeUser='"$panuser" \
        --data-urlencode 'preauthid=' \
        --data-urlencode 'user='"$panuser" \
        --data-urlencode 'passwd@'"$pwfile" \
        --data-urlencode 'ok=Login' \
        --insecure

And send the output.

erickfcc commented 1 year ago

Here you go:

@.***:~$ bash -x pan-captive-portal-auth-copy.sh ++ mktemp

On Tue, Aug 8, 2023 at 1:21 PM John Fleming @.***> wrote:

Well that wasn't helpful.

Ok edit the script and remove the | and everything else beyond the curl command.

curl -s "$pancaptiveportlurl" \ --data-urlencode 'inputStr=' \ --data-urlencode 'escapeUser='"$panuser" \ --data-urlencode 'preauthid=' \ --data-urlencode 'user='"$panuser" \ --data-urlencode 'passwd@'"$pwfile" \ --data-urlencode 'ok=Login' \ --insecure

And send the output.

— Reply to this email directly, view it on GitHub https://github.com/SpikefishSolutions/PanTools/issues/1#issuecomment-1670093281, or unsubscribe https://github.com/notifications/unsubscribe-auth/AETKPJEJARSFUDECICDYDIDXUJ7UFANCNFSM6AAAAAA3AFSCK4 . You are receiving this because you authored the thread.Message ID: @.***>

spikefishjohn commented 1 year ago

yuck.. here is where the javascript comes in.

Is that window.location = "bla"; all one line?

This is a complete shot in the dark since I have no idea what the MFA url is going to be looking for but just for grins.

What do you get if you hit curl to that using the existing curl command only with the new url? BTW that new URL might be short lived so if you try this do the original again, see if it changes then copy/past curl command with new url.

That being said, bash + curl may not be the right tool for this, but i'll see what we can do.

erickfcc commented 1 year ago

Yeah I think the thing with window.location= when we go to the https://192.168.2.1:6082/php/uid.php?vsys=1&rule=1 the firewall generates a token for the session that is added on.

On Tue, Aug 8, 2023 at 2:20 PM John Fleming @.***> wrote:

yuck.. here is where the javascript comes in.

Is that window.location = "bla"; all one line?

This is a complete shot in the dark since I have no idea what the MFA url is going to be looking for but just for grins.

What do you get if you hit curl to that using the existing curl command only with the new url? You may need need to get the old get the new url and then immediately hit the new.

That being said, bash + curl may not be the right tool for this, but i'll see what we can do.

— Reply to this email directly, view it on GitHub https://github.com/SpikefishSolutions/PanTools/issues/1#issuecomment-1670161457, or unsubscribe https://github.com/notifications/unsubscribe-auth/AETKPJEIC4I76TVSOBF6U7LXUKGQFANCNFSM6AAAAAA3AFSCK4 . You are receiving this because you authored the thread.Message ID: @.***>

spikefishjohn commented 1 year ago

Hark ye brave soul, for I bring completely untested code!

Let me know if this works. I honestly have no idea what the 2fa url will do or what its looking for. Hopefully this will generate something semi useful. I'll take a look at mfa_login and see if i can figure out what it looking for in the mean time.

bash -x pan-captive-portal-auth.sh

again... IF YOU DARE!.. or like.. you feel like it? UPDATE: 8/18/2023 - syntax errors hopefully fixed.

#!/bin/bash

# This script is meant to demonstrate how to use curl 
# via an https post to authenticate to a Palo Alto firewall
# Captive Portal url. This is for hosts that don't have access to
# a full web browser, but need to authenticate to a Palo Alto 
# firewall to create a user to ip mapping via the Captive Portal.
# Note this script ignore ssl certifcate issues (--insecure).

# bail if mktemp isn't working.
pwfile=$(mktemp) || { echo "failed to make tempfile" ; exit 1; }
# delete temp file on exit. This will prevent a tempfile from laying around with
# a password in it.
trap '{ rm "$pwfile"; }' EXIT

# read Captive Portal url
# Captive Portal (as of 10.1.x) with certificate installed and 
# authentication rule 0 uses this format.
# https://HostNameOrIP:6082/php/uid.php?vsys=1&rule=0
read -p "Enter Palo Alto Captive Portal URL: " pancaptiveportlurl
# read username for Captive Portal Auth
read -p "Enter Username: " panuser
# read password
echo -n "Enter password: "
# -s will disable prompt. :(
read -s panpassword
# add newline
echo

# securely write password to temp file. This is to prevent
# password from showing on ps -axwu output

# links $pwfile to file descriptor 3
# uses dd to write password to tempfile
# close file descriptor 3.
exec 3<> $pwfile
dd of=$pwfile <<<"$panpassword" >& /dev/null || exit 1
exec 3>&-

CURLOUT=$(curl -s "$pancaptiveportlurl" \
        --data-urlencode 'inputStr=' \
        --data-urlencode 'escapeUser='"$panuser" \
        --data-urlencode 'preauthid=' \
        --data-urlencode 'user='"$panuser" \
        --data-urlencode 'passwd@'"$pwfile" \
        --data-urlencode 'ok=Login' \
        --insecure)

TWOFAURL=$( echo $CURLOUT | tr -d '\n' | sed -r 's,^(.*window.location = "(.*)".*)$,\2,' )
TWOFAURL=$( echo $TWOFAURL | egrep '^http.*mfa' || unset TWOFAURL)
if [ ! -z ${TWOFAURL+x} ] ; then
     read -p "2FA User: " TWOFAUSER
     read -p "2FA Code+Passprase: " TWOFAPASS
     echo "curl attempt to 2FA url. Crossing fingers"
     echo "2FA url is $TWOFAURL"
     curl -s "$TWOFAURL" \
        --data-urlencode 'inputStr=' \
        --data-urlencode 'escapeUser='"$TWOFAUSER" \
        --data-urlencode 'preauthid=' \
        --data-urlencode 'user='"$TWOFAUSER" \
        --data-urlencode 'passwd@'"$TWOFAPASS" \
        --data-urlencode 'ok=Login' \
        --insecure
else
    echo $CURLOUT
fi
spikefishjohn commented 1 year ago

I just looked at mfa_login, that for sure isn't going to work, but it might be helpful to see output.

spikefishjohn commented 1 year ago

I think to come up with a way to make this work i'll need to setup a 2FA firewall. Looks like there is a way to send pass phrase and pass code but i'll need time to mess with it.

erickfcc commented 1 year ago

Hey John!

Thanks for the follow up! I am getting the following:

@.***:~$ bash -x pan-captive-portal-auth-copy2.sh ++ mktemp

On Thu, Aug 17, 2023 at 12:46 PM John Fleming @.***> wrote:

Hark ye brave soul, for I bring completely untested code!

Let me know if this works. I honestly have no idea what the 2fa url will do or what its looking for. Hopefully this will generate something semi useful. I'll take a look at mfa_login and see if i can figure out what it looking for in the mean time.

bash -x pan-captive-portal-auth.sh

again... IF YOU DARE!.. or like.. you feel like it?

!/bin/bash

This script is meant to demonstrate how to use curl # via an https post to authenticate to a Palo Alto firewall# Captive Portal url. This is for hosts that don't have access to# a full web browser, but need to authenticate to a Palo Alto # firewall to create a user to ip mapping via the Captive Portal.# Note this script ignore ssl certifcate issues (--insecure).

bail if mktemp isn't working.

pwfile=$(mktemp) || { echo "failed to make tempfile" ; exit 1; }# delete temp file on exit. This will prevent a tempfile from laying around with# a password in it.trap '{ rm "$pwfile"; }' EXIT

read Captive Portal url# Captive Portal (as of 10.1.x) with certificate installed and # authentication rule 0 uses this format.# https://HostNameOrIP:6082/php/uid.php?vsys=1&rule=0read -p "Enter Palo Alto Captive Portal URL: " pancaptiveportlurl# read username for Captive Portal Authread -p "Enter Username: " panuser# read passwordecho -n "Enter password: "# -s will disable prompt. :(read -s panpassword# add newlineecho

securely write password to temp file. This is to prevent# password from showing on ps -axwu output

links $pwfile to file descriptor 3# uses dd to write password to tempfile# close file descriptor 3.exec 3<> $pwfile

dd of=$pwfile <<<"$panpassword" >& /dev/null || exit 1exec 3>&-

CURLOUT=$(curl -s "$pancaptiveportlurl" \ --data-urlencode 'inputStr=' \ --data-urlencode 'escapeUser='"$panuser" \ --data-urlencode 'preauthid=' \ --data-urlencode 'user='"$panuser" \ --data-urlencode 'passwd@'"$pwfile" \ --data-urlencode 'ok=Login' \ --insecure)

TWOFAURL=$( echo $CURLOUT | tr -d '\n' | sed -r 's,^(.window.location = "(.)".)$,\2,' ) TWOFAURL=$( echo $TWOFAURL | egrep '^http.mfa' || unset TWOFAURL)if [ ! -z ${TWOFAURL+x} read -p "2FA User: " TWOFAUSER read -p "2FA User: " TWOFFAPASS echo "curl attempt to 2FA url. Crossing fingers" echo "2FA url is $TWOFAURL" curl -s "$TWOFAURL" \ --data-urlencode 'inputStr=' \ --data-urlencode 'escapeUser='"$TWOFAUSER" \ --data-urlencode 'preauthid=' \ --data-urlencode 'user='"$TWOFAUSER" \ --data-urlencode 'passwd@'"$TWOFFAPASS" \ --data-urlencode 'ok=Login' \ --insecureelse echo $CURLOUTfi

— Reply to this email directly, view it on GitHub https://github.com/SpikefishSolutions/PanTools/issues/1#issuecomment-1682711713, or unsubscribe https://github.com/notifications/unsubscribe-auth/AETKPJAV4FTKVLV2TR3YNVLXVZKHBANCNFSM6AAAAAA3AFSCK4 . You are receiving this because you authored the thread.Message ID: @.***>

spikefishjohn commented 1 year ago

Well the good news is it extracted the 2FA url, bad news is i completed hosed that if else fi statement.

spikefishjohn commented 1 year ago

Ok I updated the shell script in the above post. %100 its not the correct forms. Would it be possible for you to add some screen shots of doing the 2FA prompts? Also if you could use developer mode to show the posts send when you hit the 2FA prompts that would be super helpful. I think you can even convert the post request to curl format.

Something like this

erickfcc commented 1 year ago

I wasn't sure what to copy as curl, so I copied all the MFA_Checks if you need me to copy something else as curl, I can do it again, also I took a screen recording for you

Copy as curl below:

https://192.168.2.1:6082/php/mfa_check_status?MfaPending&mfainfo=ZH9liQAAAKIAAQAAAAEAAAAAAAAAAgAAAA0xOTIuMTY4LjIuMjAA

curl ' https://192.168.2.1:6082/php/mfa_check_status?MfaPending&mfainfo=ZH9liQAAAKIAAQAAAAEAAAAAAAAAAgAAAA0xOTIuMTY4LjIuMjAA' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: application/json, text/javascript, /; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: https://192.168.2.1:6082' -H 'Connection: keep-alive' -H 'Referer: https://192.168.2.1:6082/php/mfa_login?mfainfo=ZH9liQAAAKIAAQAAAAEAAAAAAAAAAQAAAA0xOTIuMTY4LjIuMjAA' -H 'Cookie: SESSID=f4MBAWTfgtYhPnGvAwMLAg==' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' --data-raw 'status=success&AuthPolicy=&Vsys=&AuthProfile=&username=erickmel&CurrentFactorNum=2&ReqID=&AuthMethods=&state=MfaPending&OfflineMethodsStatus=enable'

https://192.168.2.1:6082/php/mfa_check_status?MfaPending&mfainfo=ZH9liQAAAKIAAQAAAAEAAAAAAAAAAgAAAA0xOTIuMTY4LjIuMjAA

Link to Screen Recording

2MFA.mov https://drive.google.com/file/d/1FtoPaEqSKJEmF8Y4UFqGsrDFOp3mTC3V/view?usp=drive_web

On Fri, Aug 18, 2023 at 9:08 AM John Fleming @.***> wrote:

Ok I updated the shell script in the above post. %100 its not the correct forms. Would it be possible for you to add some screen shots of doing the 2FA prompts? Also if you could use developer mode to show the posts send when you hit the 2FA prompts that would be super helpful. I think you can even convert the post request to curl format.

Something like this https://everything.curl.dev/usingcurl/copyas

— Reply to this email directly, view it on GitHub https://github.com/SpikefishSolutions/PanTools/issues/1#issuecomment-1683976930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AETKPJBTBV433XADCROUMVLXV5ZPJANCNFSM6AAAAAA3AFSCK4 . You are receiving this because you authored the thread.Message ID: @.***>

spikefishjohn commented 1 year ago

Nice, thanks i'll check this out shortly!

spikefishjohn commented 1 year ago

ok thats interesting. Can you do the same for the get request going mfa_login url? With that I might be able to put together what is happening. BTW I downloaded the mov file if you want to take it down for any reason.

erickfcc commented 1 year ago

I think you mean the mfalogin.js right? It's the one I have highlighted in the screenshot below

curl 'https://192.168.2.1:6082/login/js/mfalogin.js' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: /' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Connection: keep-alive' -H 'Referer: https://192.168.2.1:6082/php/mfa_login?mfainfo=ZH9liQAAAKgAAQAAAAEAAAAAAAAAAQAAAA0xOTIuMTY4LjIuMjAA' -H 'Cookie: SESSID=f4MBAWTfmvIhPnGvAwMMAg==' -H 'Sec-Fetch-Dest: script' -H 'Sec-Fetch-Mode: no-cors' -H 'Sec-Fetch-Site: same-origin'

[image: Screenshot 2023-08-18 at 11.24.11 AM.png]

On Fri, Aug 18, 2023 at 10:57 AM John Fleming @.***> wrote:

ok thats interesting. Can you do the same for the get request going mfa_login url? With that I might be able to put together what is happening. BTW I downloaded the mov file if you want to take it down for any reason.

— Reply to this email directly, view it on GitHub https://github.com/SpikefishSolutions/PanTools/issues/1#issuecomment-1684119385, or unsubscribe https://github.com/notifications/unsubscribe-auth/AETKPJG6TCR4IUW2TI6HLOTXV6GGVANCNFSM6AAAAAA3AFSCK4 . You are receiving this because you authored the thread.Message ID: @.***>