Kevin, I follow your idea and I used SSLSPLIT as a mitmproxy. It works like a charm and copy every single sessions to a log file decrypted. Nice and easy I have find the POST you found on your side and this so long data list (endpoint.xxx = "parameter") = more than 800 lines: There is not the headers as you talked about. Perhaps in newer AnyConnect version it is different or SSLSPLIT is only recording common headers ? The complete session log is here : http://pastebin.com/nGtcyeKA Extract : POST /+CSCOE+/sdesktop/scan.xml?reusebrowser=1 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/xml Cookie: sdesktop=1E167F3712DE5436148271D1 Content-Length: 21760 Host: www.MONSITE.com endpoint.os.version="Windows 7"; endpoint.os.servicepack="Service Pack 1"; endpoint.os.architecture="x64"; endpoint.os.processor_level="unknown"; endpoint.policy.location="corporate"; endpoint.device.protection="cache cleaner";endpoint.registry. endpoint.device.protection_version="3.1.02043"; ... endpoint.os.hotfix["KB2852386"]="true"; endpoint.registry["1"]={}; endpoint.registry["1"].exists="true"; endpoint.registry["1"].path="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain"; endpoint.registry["1"].type="string"; endpoint.registry["1"].value="MONSITE.com"; endpoint.file["3"]={}; endpoint.file["3"].exists="false"; I also find the data.xml at the URL you send. And as far as I understand, hostscan will look at 2 parameters : Windows or MAC system and registry key for windows or file for MAC. Linux is denied Extract from file data.xml : <multilocation> <sequence> <start> <choose type="os_check"> <when label="Win 2K/XP/Vista/Win7/8" test="os_check" arg1="win2k"> <choose type="registry_check"> <when label="Success" test="reg_check_string" arg1="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain" arg2="contains" arg3="MONSITE.com" arg4="off"> <location name="corporate" /> </when> <otherwise label="Failure"> <location name="Home Users" /> </otherwise> </choose> </when> <when label="Win 9x" test="os_check" arg1="win9x"> <denied /> </when> <when label="Mac" test="os_check" arg1="mac"> <choose type="file_check"> <when label="Success" test="file_check_exists" arg1="/Applications/.NTCT/VPN.key"> <location name="MAC_DAP" /> </when> <otherwise label="Failure"> <location name="Home Users" /> </otherwise> </choose> </when> <when label="Linux" test="os_check" arg1="linux"> <denied /> </when> <otherwise label="Failure"> <denied /> </otherwise> </choose> </start> </sequence> </multilocation> You can probably help me for the last step to understand how to POST the good data (if we have all infos and if it is really by posting endpoint.xxx infos): I suppose by forging the right endpoint.registry.path="HKEY_LOCAL..." and endpoint.os.version should do the trick. Thanks in advance for your help and advice -- Fromzy
