search

abrasive / nxBender

Open source client for netExtender SSL VPNs
BSD 3-Clause "New" or "Revised" License
41 stars 20 forks source link

Support of the two-factor authentication #17

Open GuillaumeSeren opened 4 years ago

GuillaumeSeren commented 4 years ago

Hello ! New job new vpn, and I was asked to use netExtender.

While trying to keep my machine clean from this closed source stuff, I discovered you project.

I am testing it, but actually I need a was to provide the two-factor authentication, here what I get:

└─> nxBender --server ssl1.client.com -u gseren -p 'pass' -d 2fa.client.com --debug                                          
INFO     Logging in...                                              
DEBUG    Starting new HTTPS connection (1): ssl1.client.com:443                                                                        
send: b'POST /cgi-bin/userLogin HTTP/1.1\r\nHost: ssl1.client.com\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nX-NE-SESSIONPROMPT: true\r\nContent-Length: 78\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n'
send: b'username=gseren&password=pass&domain=2fa.client.com&login=true'                                                  
reply: 'HTTP/1.1 200 OK\r\n'                                                                                                             
header: Date: Wed, 15 Jul 2020 11:09:48 GMT                         
header: Server: SonicWALL SSL-VPN Web Server                                                                                             
header: X-NE-tf: 1                                                  
header: X-NE-message: Get a verification code from the two-factor authentication app and verify your identity
header: MC-bookmarks: 3                                                                                                                  
header: Set-Cookie: swap=MGZzRm5ZdzBLR3c4WVZtMEltaU1NYUl3M2kjkjkjkjkxNeFBiS0xwS3VhST0=; path=/; secure; HttpOnly
header: X-FRAME-OPTIONS: SAMEORIGIN                                 
header: X-XSS-Protection: 1; mode=block                             
header: Content-Security-Policy: script-src https://*.duosecurity.com 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; style-src 'self' 'unsafe-inline'
header: Referrer-Policy: strict-origin                                                                                                   
header: X-Content-Type-Options: nosniff                                                                                                  
header: Transfer-Encoding: chunked                                  
header: Content-Type: text/html; charset=UTF-8                                                                                           
DEBUG    https://ssl1.client.com:443 "POST /cgi-bin/userLogin HTTP/1.1" 200 None                                                       
Traceback (most recent call last):                                  
  File "/home/gseren/.local/bin/nxBender", line 8, in <module>                                                                           
    sys.exit(main())                                                
  File "/home/gseren/.local/lib/python3.7/site-packages/nxbender/__init__.py", line 67, in main
    sess.run()                                                      
  File "/home/gseren/.local/lib/python3.7/site-packages/nxbender/nx.py", line 48, in run                                                 
    self.options.domain                                             
  File "/home/gseren/.local/lib/python3.7/site-packages/nxbender/nx.py", line 73, in login                                               
    raise IOError('Server returned error: %s' % error)                                                                                   
OSError: Server returned error: Get a verification code from the two-factor authentication app and verify your identity

I think it should be possible to catch this error, and ask (or provide it by an argument) the two-factor pin, what do you think ?

GuillaumeSeren commented 4 years ago

Hey, I think the header that say need a 2fa are

header: X-NE-tf: 1                                                  
header: X-NE-message: Get a verification code from the two-factor authentication app and verify your identity

Can someone using this witout 2fa confirm ?

abrasive commented 3 years ago

Hi Guillaume! I'm sorry I didn't have time to look at this before now. Are you still using the same VPN?

I just added support for my organisation's 2fa, but they use a different method (X-NE-tf: 5).

I used mitmproxy with the official client to work out how the new flow works, can you do the same? I ran mitmproxy like so:

mitmproxy --mode reverse:https://vpn.myemployer.net

Then connected using the client like so:

./netExtender -u myusername -d mydomain localhost:8080

Yes your way through the untrusted certificate warning and you'll get a trace of the requests needed to get logged in.

abrasive commented 3 years ago

@ml1nk your help would also be welcome if this still affects you

GuillaumeSeren commented 3 years ago

Hey @abrasive no I am not working with this company anymore so I can't test this, but that a good news you added the support, thank you !