CSD use and impossible to connect (Linux)

Fromzy fromzy at gmail.com
Sun Jan 4 07:46:35 PST 2015


Kevin,

I follow your idea and I used SSLSPLIT as a mitmproxy. It works like a
charm and copy every single sessions to a log file decrypted. Nice and
easy
I have find the POST you found on your side and this so long data list
(endpoint.xxx = "parameter") = more than 800 lines:
There is not the headers as you talked about. Perhaps in newer
AnyConnect version it is different or SSLSPLIT is only recording
common headers ?
The complete session log is here : http://pastebin.com/nGtcyeKA

Extract :
POST /+CSCOE+/sdesktop/scan.xml?reusebrowser=1 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml
Cookie: sdesktop=1E167F3712DE5436148271D1
Content-Length: 21760
Host: www.MONSITE.com

endpoint.os.version="Windows 7";
endpoint.os.servicepack="Service Pack 1";
endpoint.os.architecture="x64";
endpoint.os.processor_level="unknown";
endpoint.policy.location="corporate";
endpoint.device.protection="cache cleaner";endpoint.registry.
endpoint.device.protection_version="3.1.02043";
...
endpoint.os.hotfix["KB2852386"]="true";
endpoint.registry["1"]={};
endpoint.registry["1"].exists="true";
endpoint.registry["1"].path="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain";
endpoint.registry["1"].type="string";
endpoint.registry["1"].value="MONSITE.com";
endpoint.file["3"]={};
endpoint.file["3"].exists="false";

I also find the data.xml at the URL you send. And as far as I
understand, hostscan will look at 2 parameters : Windows or MAC system
and registry key for windows or file for MAC. Linux is denied

Extract from file data.xml :

  <multilocation>
    <sequence>
      <start>
        <choose type="os_check">
          <when label="Win 2K/XP/Vista/Win7/8" test="os_check" arg1="win2k">
            <choose type="registry_check">
              <when label="Success" test="reg_check_string"
arg1="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain"
arg2="contains" arg3="MONSITE.com" arg4="off">
                <location name="corporate" />
              </when>
              <otherwise label="Failure">
                <location name="Home Users" />
              </otherwise>
            </choose>
          </when>
          <when label="Win 9x" test="os_check" arg1="win9x">
            <denied />
          </when>
          <when label="Mac" test="os_check" arg1="mac">
            <choose type="file_check">
              <when label="Success" test="file_check_exists"
arg1="/Applications/.NTCT/VPN.key">
                <location name="MAC_DAP" />
              </when>
              <otherwise label="Failure">
                <location name="Home Users" />
              </otherwise>
            </choose>
          </when>
          <when label="Linux" test="os_check" arg1="linux">
            <denied />
          </when>
          <otherwise label="Failure">
            <denied />
          </otherwise>
        </choose>
      </start>
    </sequence>
  </multilocation>

You can probably help me for the last step to understand how to POST
the good data (if we have all infos and if it is really by posting
endpoint.xxx infos): I suppose by forging the right
endpoint.registry.path="HKEY_LOCAL..." and endpoint.os.version should
do the trick.

Thanks in advance for your help and advice

--
Fromzy



More information about the openconnect-devel mailing list