MITM to a cisco client

Oscar Velazquez osdamv at gmail.com
Wed May 8 16:59:29 PDT 2024 

Hi all

I am trying to pinpoint what the CSD script is doing on a cisco 
anyconnect windows machine, for that I put together a MITM but it is 
dropping the connection by the last step:

POST / HTTP/1.1
Host: ********.com
User-Agent: AnyConnect Windows 4.10.07073
Accept: */*
Accept-Encoding: identity
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-STRAP-Pubkey: 
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAZdU78sB/DvbQ+nfNHey2Ibs9fTbDwMU4aQwUoFSyV7p1VkqUVQXsaZLnJ8Si075qH5m3FxbgA9jnPoWbVaLPQ==
X-AnyConnect-STRAP-DH-Pubkey: 
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0QOOCs+eTiGcLIsLW1spUGExKzhphspN4LmSUInmFS4r+FnrZ84jH9nfvW6Lep+JuqBXHMt77FneEX2G5FITjA==
Content-Length: 851
Content-Type: application/x-www-form-urlencoded

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply" aggregate-auth-version="2">
<version who="vpn">4.10.07073</version>
<device-id computer-name="*****" device-type="QEMU Standard PC (Q35 + 
ICH9, 2009)" platform-version="10.0.19045 " 
unique-id="FD46374763DDE3C9739E09DA7BEE13A7DA899404016AD2E42E5B0A47A6E0B648" 
unique-id-global="76EE7A4AA29ACC78B2BE86449C529B845B749FE4">win</device-id>
<mac-address-list>
<mac-address 
public-interface="true">52-54-00-af-c4-4b</mac-address></mac-address-list>
<session-token></session-token>
<session-id></session-id>
<opaque is-for="sg">
<tunnel-group>*****</tunnel-group>
<auth-handle>381550606</auth-handle>
<aggauth-handle>5272334356441946830</aggauth-handle>
<config-hash>1713988474529</config-hash></opaque>
<auth>
<password>******</password></auth>
</config-auth>


HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 08 May 2024 20:04:47 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="complete" aggregate-auth-version="2">
<session-id>******</session-id>
<session-token>******</session-token>
<auth id="success">
<message id="0" param1="" param2=""></message>
</auth>
<capabilities>
<crypto-supported>ssl-dhe</crypto-supported>
</capabilities>
<config client="vpn" type="private">
<vpn-base-config>
<optional-modules>dart,iseposture,isensa</optional-modules>
<nopkg></nopkg>
<server-cert-hash>FF634C3090B0D9439972EE8C959292CBE6DCE1EE</server-cert-hash>
</vpn-base-config>
<opaque is-for="vpn-client"></opaque>
<vpn-profile-manifest>
<vpn rev="1.0">
<file type="profile" service-type="user">
<uri>/CACHE/********</uri>
<hash type="sha1">7624A625757AEA23F181B93A9F8645F70910B869</hash>
</file>
</vpn>
</vpn-profile-manifest>
<vpn-customization-manifest>
<vpn rev="1.0">
<file app="AnyConnect" platform="win" type="binary">
<filename>*******.vbs</filename>
<hash type="sha1">12B80A1F50425234A23F209B1957CCE8B2D9EA02</hash>
</file>
</vpn>
</vpn-customization-manifest>
</config>
</config-auth>




POST / HTTP/1.1
Host: *****.com
User-Agent: AnyConnect Windows 4.10.07073
Accept: */*
Accept-Encoding: identity
X-Transcend-Version: 1
X-AnyConnect-STRAP-Pubkey: 
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAZdU78sB/DvbQ+nfNHey2Ibs9fTbDwMU4aQwUoFSyV7p1VkqUVQXsaZLnJ8Si075qH5m3FxbgA9jnPoWbVaLPQ==
X-AnyConnect-STRAP-DH-Pubkey: 
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0QOOCs+eTiGcLIsLW1spUGExKzhphspN4LmSUInmFS4r+FnrZ84jH9nfvW6Lep+JuqBXHMt77FneEX2G5FITjA==
Content-Length: 932
Content-Type: application/x-www-form-urlencoded

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="logout" aggregate-auth-version="2">
<version who="vpn">4.10.07073</version>
<device-id computer-name="*****" device-type="QEMU Standard PC (Q35 + 
ICH9, 2009)" platform-version="10.0.19045 " 
unique-id="FD46374763DDE3C9739E09DA7BEE13A7DA899404016AD2E42E5B0A47A6E0B648" 
unique-id-global="76EE7A4AA29ACC78B2BE86449C529B845B749FE4">win</device-id>
<mac-address-list>
<mac-address 
public-interface="true">52-54-00-af-c4-4b</mac-address></mac-address-list>
<logout-reason>Unable to establish VPN.</logout-reason>
<session-token>******</session-token>
<session-id>824561664</session-id>
<opaque is-for="sg">

<tunnel-group>*****</tunnel-group>
<auth-handle>381550606</auth-handle>
<aggauth-handle>5272334356441946830</aggauth-handle>
<config-hash>1713988474529</config-hash></opaque>
</config-auth>


HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Wed, 08 May 2024 20:04:50 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
content-length: 0




I have a hunch: it is to change server-cert-hash, but I do not know 
what the correct values could be or if this is a valid approach.
Any help would be appreciated.

More information about the openconnect-devel mailing list