Hi Daniel, Thanks for the response.? I had seen these things except for the wrapper script from David Woodhouse (linked to on the list).? I tried that one but I was unsurprised when it did not work (you'll see why...). hostscan-bypass did not work for me.? It appears to be creating a MITM attack and capturing the hostscan response.? The code appears to be scraping lines from the response that have "endpoint" in them and inserting those into a boilerplate script.? Importantly, it does not modify the lines, which implies they must constitute a correct response to being with.? My guess is that this tool is only useful if you have another machine (Windows likely) that already works (I don't).? I do have an AC Linux client but it is an old one and I think it is not compatible with my org's new VPN.? I can't use it anyway because Cisco's client does not have *any* support for PIV cards (one might think they could at least accept a PK11 URI like OC does, but, well... Cisco). I do have my org's data.xml and I've been trying to guess how to build a valid response from it.? I think I am probably very close but it's hard to know what I'm missing because I don't know what it's looking for.? To make matters worse, my org's vpn appears to use a newer version of hostscan with a different response format. Most examples I've found online use the old response format (which uses terms like "av" and "fw").? The new one uses "am" (anti-malware) and "pfw" (personal firewall).? The changes are described (high-level) in a Cisco migration document: https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html (Look for "Endpoint Attribute Definitions" about halfway down.) This doc contains some examples of the responses they want. There appears to be added fields relative to the older format.? As you probably know, the backend validates the response using a Lua script which can theoretically contain almost anything the administrator wants to include.? (If I could get that script this would be easy... :|? ) I think I need to start a dialog with my IT dept next (I've been waiting for my manager to return to the office).? However, I'm not very hopeful about that because past experiences have demonstrated that they barely know anything about the stuff they're using (I hope that's not typical but I fear it is).? I might be able to get help from Cisco through them (but that's a whole other can of worms...? :| Anyway, thanks again! ~ray On 10/9/18 5:38 PM, Daniel Lenski wrote: > On Fri, Oct 5, 2018 at 12:01 PM Ray Lambert <codemonkey at interthingy.net> wrote: >> On 10/5/18 2:22 PM, David Woodhouse wrote: >>> OK so the patch works. You see TOKEN_SUCCESS when you post a resposer >>> regardless of whether it's acceptable or not. You have more work to do, to >>> work out what the real hostscan would be asking for and what the correct >>> answers are. >> Okay, thanks for confirming. >> >> Do you have any pointers on figuring out what hostscan wants to see? I don't >> have access to a working one that I peek at. > Corey Gilks wrote a tool that tries to figure out what your VPN's > hostscan wants to receive: https://github.com/Gilks/hostscan-bypass > > You might want to see this thread from August: > http://lists.infradead.org/pipermail/openconnect-devel/2018-August/005024.html > > "In some cases hostscan can be looking for the existence of specific > registry keys or software. Without the correct values the connection > may be rejected. On the other hand, failure to provide the correct > values may result in a successful connection but could result in being > placed in a restricted vlan. It really comes down to how the > administrators configured hostscan. If you find yourself in a scenario > where the static CSD files (such as the one you linked) are not > allowing you to connect then you will need to MITM the correct values > from an AnyConnect client. > That's where hostscan-bypass comes in handy!"
