Open eppesuig opened 6 years ago
schlatterbeck
commented
6 years ago Thanks for the bug-report. Fixed in the latest commit. The problem was: I'm mainly using it with a .netrc file. That means I didn't notice that password prompting didn't work. Let me know if it works for you.
eppesuig
commented
6 years ago Hello, it seems the problem is not fixed. I am prompted for the password, but then the program stop like this:
Traceback (most recent call last): File "/usr/local/bin/snxconnect", line 5, in
main () File "/usr/local/lib/python3.5/dist-packages/snxconnect.py", line 522, in main result = rq.login () File "/usr/local/lib/python3.5/dist-packages/snxconnect.py", line 196, in login ( password = enc.encrypt (self.args.password) File "/usr/local/lib/python3.5/dist-packages/snxconnect.py", line 390, in encrypt x = self.pad (password) File "/usr/local/lib/python3.5/dist-packages/snxconnect.py", line 376, in pad for x in iterbytes (reversed (txt.encode ('utf-8'))) : AttributeError: 'NoneType' object has no attribute 'encode'
Bye, Giuseppe
schlatterbeck
commented
6 years ago I've pushed another change, can you test directly from git or are you using pypi?
eppesuig
commented
6 years ago Yes, the new patch fix the password problem. Now I get a different error message:
Login failed (expected MultiChallenge)
Is this something I can work around?
Thank you, Giuseppe
schlatterbeck
commented
6 years ago On Thu, Sep 28, 2017 at 03:10:45AM -0700, eppesuig wrote:
Yes, the new patch fix the password problem. Now I get a different error message:
Login failed (expected MultiChallenge)
Is this something I can work around?
The code currently expects a second password challenge (part of the url contains MultiChallenge) with a one-time password sent to a mobile phone -- do you know how your vpn is set up, does it do this second challenge?
You can run the program with --debug which prints some more information. You should edit out site-url before posting this to github.
Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com
eppesuig
commented
6 years ago I may connect from Windows and cisco client without any second password. This is the complete (anonymised) output using --debug:
root@computer:~# snxconnect --debug --host vpn.XXXX.com --snxpath /usr/bin/snx --username user@domain Password: sslvpn/Login/Login https://vpn.XXXX.com/sslvpn/Login/Login sslvpn/Login/../Login/JS_RSA.js {'modulus': 'c63c133...dff54c319', 'exponent': '010001'} sslvpn/Login/Login https://vpn.XXXX.com/sslvpn/Login/Login Date: Thu, 28 Sep 2017 10:22:18 GMT Server: CPWS X-Frame-Options: SAMEORIGIN Pragma: no-cache Cache-Control: no-store Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
Login failed (expected MultiChallenge) Login failed (no MultiChallenge): https://vpn.XXXX.com/sslvpn/Login/Login
schlatterbeck
commented
6 years ago On Thu, Sep 28, 2017 at 03:26:50AM -0700, eppesuig wrote: ...
Login failed (expected MultiChallenge) Login failed (no MultiChallenge): https://vpn.XXXX.com/sslvpn/Login/Login
OK, this looks like it's asking for the secondary (phone) password which is not configured for your instance.
I've refactored this to not ask for the second PW if we don't get a MultiChallenge response.
Can you check what this is doing now, I'm just guessing here because I don't have a VPN without a second password to test.
Sorry for the delay, I don't have much time to work on this currently...
Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com
eppesuig
commented
6 years ago Hello RAlf, this is the output I get, with debug.
root@computer:~# snxconnect --debug --host vpn.XXXXX.com --snxpath /usr/bin/snx --username user@XXXXX Password: sslvpn/Login/Login https://vpn.XXXXX.com/sslvpn/Login/Login sslvpn/Login/../Login/JS_RSA.js {'modulus': 'c63c13369305...87edff54c319', 'exponent': '010001'} sslvpn/Login/Login https://vpn.XXXXX.com/sslvpn/Login/Login Date: Wed, 04 Oct 2017 07:12:34 GMT Server: CPWS X-Frame-Options: SAMEORIGIN Pragma: no-cache Cache-Control: no-store Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
Unexpected response, looking for MultiChallenge or Portal purl: https://vpn.XXXXX.com/sslvpn/Login/Login
Bye, Giuseppe
P.S. Don't bother about delays: I am busy too :-)
schlatterbeck
commented
6 years ago On Wed, Oct 04, 2017 at 12:15:47AM -0700, eppesuig wrote:
Hello RAlf, this is the output I get, with debug.
Unexpected response, looking for MultiChallenge or Portal purl: https://vpn.XXXXX.com/sslvpn/Login/Login
Looks like it's taking you back to login. It may well be that I'm missing some parameters in a post request. Are you able to log in via browser?
In my experiments sometimes logging in via browser, trying to establish a VPN connection (which fails due to Java problems) and disconnecting will then make it work with snxconnect -- which indicates I'm still missing some magic. Can you try this?
That said, are you able to further debug this, I'm using mitmdump from the mitmproxy.org suite. There is an installer in the download section on that webside that doesn't need lots of python modules...
You also may be successful just using the snx binary directly. This has a config-file ~/.snxrc with "server" and "username" settings if you don't want to specify this on the command-line. On the other hand the connection stuff in snx uses outdated crypto and may not work with your vpn -- the undocumented option I'm using is also used by the Java framework and bypasses the login stuff (which is handled by java or snxconnect)
% snx --help
Check Point's Linux SNX
build 800007116
usage: snx -s
snx -d disconnect a running SNX daemon
-s <server> connect to server <server>
-u <user> use the username <user>
-c <certfile> use the certificate file <certfile>
-l <ca dir> get trusted ca's from <ca dir>
-p <port> connect using port <port>
-g enable debugging
-e <cipher> SSL cipher to use: RC4 or 3DESRalf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com
eppesuig
commented
6 years ago Hello Ralf, I did install debian package mitmproxy and run it. It opened a regular proxy on localhost:8080. I setup the environment variable https_proxy=http://localhost:8080 before running your program, and I got the error message:
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)>
so, I opened a browser, connected via the proxy to "https://vpn.XXXXX.com/" and saved the SSL certificate. Then, from root, I moved that file in /usr/local/share/ca-certificates/mitmit.crt and ran update-ca-certificates. Now that CA should have been trusted by openssl applications like python. I ran again your program and got the same error. Do you have any suggestion on how to proceed?
Thank you, Giuseppe
schlatterbeck
commented
6 years ago On Wed, Oct 04, 2017 at 07:36:27AM -0700, eppesuig wrote:
Hello Ralf, I did install debian package mitmproxy and run it. It opened a regular proxy on localhost:8080. I setup the environment variable https_proxy=http://localhost:8080 before running your program, and I got the error message:
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)>
so, I opened a browser, connected via the proxy to "https://vpn.XXXXX.com/" and saved the SSL certificate. Then, from root, I moved that file in /usr/local/share/ca-certificates/mitmit.crt and ran update-ca-certificates. Now that CA should have been trusted by openssl applications like python. I ran again your program and got the same error. Do you have any suggestion on how to proceed?
I had configured mitmproxy so that the local url is http while the remote url is https. This will work for the whole handshake part (including doing this in the browser) but of course starting snxvpn on that connection is impossible.
From my notes: " mitmdump -R https://example.com -z -p 6060 --anticache \ --replace='+~hq Host+localhost:6060+example.com' \ --replace='+~hs Set-Cookie+ secure;+' \ --replace='+~hs Location+https://example.com+http://localhost:6060' \ -w outfile
Rewrite cookies to remove secure option so that browser will send back the cookies via http. Listen to all interfaces not just 127.0.0.1. "
You should replace example.com with your remote vpn url of course. The url you connect to (with browser and/or snxconnect) is then http://localhost:6060
Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com
eppesuig
commented
6 years ago Hello Ralf, I finally tried your suggestion, but I made some mistake since it did not start. This is what I've done:
Do you have any idea about what I am doing wrong?
Thank you very much, Giuseppe
schlatterbeck
commented
6 years ago On Mon, Oct 16, 2017 at 11:53:03PM -0700, eppesuig wrote:
Hello Ralf, I finally tried your suggestion, but I made some mistake since it did not start. This is what I've done:
- start mitmdump as you suggested, changing example.com with my VPN server site URL
- connected with this command: "env http_proxy=http://localhost:6060 snxconnect --debug --host localhost:80 --snxpath /usr/bin/snx --username itatgxsa@company.tld". This did not use the proxy mitm proxy and gave error «SSL: WRONG_VERSION_NUMBER»
- I made the same command with https_proxy instead of http_proxy. This used mitm proxy and gave error «urlopen error Tunnel connection failed: 400 Bad Request». I know it uses mitm since mitm wrote on its stdout «HTTP protocol error in client request: Invalid HTTP request form (expected: relative, got: authority)».
Do you have any idea about what I am doing wrong?
Hmm, my suggestion was to connect with the browser and see if you are able to login. The browser wouldn't see a https connection and you would be able to sniff all the traffic between the browser and the proxy (e.g. using tcpdump and/or wireshark, I normally use tcpdump to write the dump to disk and then use wireshark to analyze). You wouldn't set a proxy in the browser but instead directly connect to localhost:6060.
I've never tried to use ssl with mitmproxy -- you probably would need a valid certificate for this to work. The main idea is to have the whole traffic in clear between browser and proxy to be able to look at the contents (although you can get that with mitmdump, too, but I prefer the format that I see in wireshark).
Thanks for your patience :-) Ralf
-- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com
crschimidtsp
commented
5 years ago Hi Ralf, could you help me please? I'm trying to connect to Checkpoint VPN using linux, but I am stuck in this error:
[root@fedora ~]# snxconnect -D -H vpnti.xxxxxx.com.br -U x213716 --save-cookies
Password:
sslvpn/Login/Login
https://FQDN/sslvpn/Login/Login
sslvpn/Login/../Login/JS_RSA.js
{u'modulus': u'c904cd14bc6e4005609680523129a13304ba1d95c35ecdd2bc9cbc77571091958840a544f13d3e289c1f62014211d74b40000fe9c26edce34792f25341a396af572d6885fcd262d0b7f1e3b0a325e8be42e0d436d2e2f047ba06c56a43a75618d8b8cc5ca8a8559d7bb8d4812b7cf398feb19814e2d532ef4ae2805f60e3b4a75d85eb79ba5b132789cabe954ac2617e8fe3065bc3ad5c2cae24309e2395877e40261f019466e802966f5061bff58147f7dc12188aec6795b718fc70314e8c7312888018a8e4e077e169bfdfc9d0c50631249a4dd88c2f0b15478c57eb13acf6c8ae0dc643a4345e839499c08145626372c883d8b664939c093d8cc49544f35f', u'exponent': u'010001'}
sslvpn/Login/Login
Traceback (most recent call last):
File "/usr/bin/snxconnect", line 5, in
I'd appreciate any help
swaechter
commented
4 years ago @crschimidtsp I have the same problem, were you able to figure it out?
tuxflo
commented
4 years ago I'm not sure if this helps but I'm using a fork of this project (https://github.com/agnis-mateuss/snxvpn) and I don't have issues with connecting to a CheckPoint VPN.
swaechter
commented
4 years ago @tuxflo Thank you for the link, I tried it (Installing the software, importing the self signed certificate, playing around with the options etc), but I always ended up with a Login failed (expected MultiChallenge)
Although I respect and appreciate the time people spend in these projects + helping others, it's like fighting in an already lost battle (No upstream vendor support from Checkpoint) :(
Hello, I am testing snxvpn with python3 on a debian stretch machine. I installed the program with pip3 and I installed python3-lxml as well. Now, when I run snxconnect with parameters --host, --snxpath, and --username, I get this error:
Any hint on what to check?
Thank you very much, Giuseppe