search

ancwrd1 / snx-rs

Open source Linux client for Checkpoint VPN tunnels
GNU Affero General Public License v3.0
57 stars 5 forks source link

Implement SMS based MFA #4

Closed DistantThunder closed 5 months ago

DistantThunder commented 6 months ago

Hi & Happy New Year to you!

I found this very promising client to try to solve Checkpoint incompetence about this whole affair.

In my org, they use SMS based MFA.

2024-01-05T10:26:13.112697Z DEBUG snx_rs: >>> Starting snx-rs client version 0.5.1
2024-01-05T10:26:13.118600Z DEBUG hyper::client::connect::dns: resolving host="xxx"
2024-01-05T10:26:13.119419Z DEBUG hyper::client::connect::http: connecting to xxx:443
2024-01-05T10:26:13.125300Z DEBUG hyper::client::connect::http: connected to xxx:443
2024-01-05T10:26:13.144117Z DEBUG hyper::proto::h1::io: flushed 281 bytes
2024-01-05T10:26:13.149523Z DEBUG hyper::proto::h1::io: parsed 8 headers
2024-01-05T10:26:13.149532Z DEBUG hyper::proto::h1::conn: incoming body is content-length (1956 bytes)
2024-01-05T10:26:13.149771Z DEBUG hyper::proto::h1::conn: incoming body completed
{
  "ResponseData": {
    "connectivity_info": {
      "client_enabled": true,
      "connect_with_certificate_url": "\"/clients/cert/\"",
      "connectivity_type": "IPSec",
      "cookie_name": "CPCVPN_SESSION_ID",
      "default_authentication_method": "legacy",
      "internal_ca_fingerprint": [
        "xxx",
        "xxx"
      ],
      "ipsec_transport": "auto_detect",
      "natt_port": 4500,
      "server_ip": "xxx",
      "supported_data_tunnel_protocols": [
        "IPSec",
        "SSL",
        "L2TP"
      ],
      "tcpt_port": 443
    },
    "end_point_security": {
      "ics": {
        "ics_base_url": "\"/clients/ICS/components\"",
        "ics_cab_url": "\"/clients/ICS/components/cl_ics.cab\"",
        "ics_cab_version": "\"997000077\n\"",
        "ics_images_url": "\"/clients/ICS/components/ICS_images.cab\"",
        "ics_images_ver": 403006000,
        "ics_upgrade_url": "\"/clients/ICS/components/icsweb.cab\"",
        "ics_version": 403006000,
        "run_ics": false
      }
    },
    "login_options_data": {
      "login_options_list": [
        {
          "display_name": "Standard",
          "factors": [
            {
              "certificate_storage_type": "",
              "custom_display_labels": {
                "header": "\"Please provide credentials to authenticate\"",
                "password": "Password",
                "username": "\"User name\""
              },
              "factor_type": "user_defined",
              "securid_card_type": ""
            }
          ],
          "id": "vpn",
          "secondary_realm_hash": "xxx",
          "show_realm": 1
        }
      ],
      "login_options_md5": "xxx"
    },
    "protocol_version": {
      "features": 1,
      "protocol_version": 100
    },
    "upgrade_configuration": {
      "available_client_version": 0,
      "client_upgrade_url": "",
      "upgrade_mode": "ask_user"
    }
  },
  "ResponseHeader": {
    "id": 2,
    "return_code": 600,
    "session_id": "",
    "type": "ClientHello"
  }
}

When using:

2024-01-05T10:33:23.244758Z DEBUG snx_rs: >>> Starting snx-rs client version 0.5.1
2024-01-05T10:33:23.244766Z DEBUG snx_rs: Running in standalone mode
2024-01-05T10:33:23.244771Z DEBUG snx_rs::tunnel: Connecting to http endpoint: remote.fr.publicisgroupe.net
2024-01-05T10:33:23.251355Z DEBUG hyper::client::connect::dns: resolving host="remote.fr.publicisgroupe.net"
2024-01-05T10:33:23.252175Z DEBUG hyper::client::connect::http: connecting to 81.200.176.13:443
2024-01-05T10:33:23.256727Z DEBUG hyper::client::connect::http: connected to 81.200.176.13:443
2024-01-05T10:33:23.272594Z DEBUG hyper::proto::h1::io: flushed 386 bytes
2024-01-05T10:33:24.764521Z DEBUG hyper::proto::h1::io: parsed 8 headers
2024-01-05T10:33:24.764536Z DEBUG hyper::proto::h1::conn: incoming body is content-length (408 bytes)
2024-01-05T10:33:24.764559Z DEBUG hyper::proto::h1::conn: incoming body completed
Error: Invalid auth response!

I still get the SMS with the MFA code however! So we're close. Do you think it'd be possible to implement a prompt to input the code?

Thank you!

ancwrd1 commented 6 months ago

Hi, yeah, I think it's possible but I need to know the requests and responses for MFA codes. The server I have access to doesn't have it enabled unfortunately. If you have a working official client you could use mitmproxy to intercept the traffic:

mitmweb -m reverse:https://serveraddress@443

Then point the official Checkpoint VPN client to https://localhost (or the machine where you run mitmweb), and open a web browser at http://127.0.0.1:8081 to see the traffic.

ancwrd1 commented 6 months ago

Hi, I have found some information about MFA exchange, there is a branch called "mfacode", you could check it out, build (with "cargo build", requires Rust compiler) and try.

ancwrd1 commented 5 months ago

That should be finished now and part of the main code branch.