Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Add alternative CSD script to post results directly
This is a lot faster and more reliable than the Cisco crap. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
- Loading branch information
Showing
1 changed file
with
70 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
#!/bin/bash | ||
# Cisco Anyconnect CSD wrapper for OpenConnect | ||
# | ||
# Instead of actually downloading and spawning the hostscan trojan, | ||
# this script posts results directly. Ideally we would work out how to | ||
# interpret the DES-encrypted (yay Cisco!) tables.dat and basically | ||
# reimplement the necessary parts hostscan itself. But prepackaged | ||
# answers, tuned to match what the VPN server currently wants to see, | ||
# will work for most people. Of course it's perfectly possible to make | ||
# this tell the truth and not just give prepackaged answers, and most | ||
# people should do that rather than deliberately circumventing their | ||
# server's security policy with lies. This script exists as an example | ||
# to work from. | ||
|
||
if ! xmlstarlet --version > /dev/null; then | ||
echo "No xmlstarlet found" | ||
exit 1; | ||
fi | ||
|
||
DATA='endpoint.os.version="Linux"; | ||
endpoint.os.servicepack="4.17.9-200.fc28.x86_64"; | ||
endpoint.os.architecture="x64"; | ||
endpoint.policy.location="Default"; | ||
endpoint.device.protection="none"; | ||
endpoint.device.protection_version="3.1.03103"; | ||
endpoint.device.hostname="vpnclient.example.com"; | ||
endpoint.device.port["9217"]="true"; | ||
endpoint.device.port["139"]="true"; | ||
endpoint.device.port["53"]="true"; | ||
endpoint.device.port["22"]="true"; | ||
endpoint.device.port["631"]="true"; | ||
endpoint.device.port["445"]="true"; | ||
endpoint.device.port["9216"]="true"; | ||
endpoint.device.tcp4port["9217"]="true"; | ||
endpoint.device.tcp4port["139"]="true"; | ||
endpoint.device.tcp4port["53"]="true"; | ||
endpoint.device.tcp4port["22"]="true"; | ||
endpoint.device.tcp4port["631"]="true"; | ||
endpoint.device.tcp4port["445"]="true"; | ||
endpoint.device.tcp4port["9216"]="true"; | ||
endpoint.device.tcp6port["139"]="true"; | ||
endpoint.device.tcp6port["53"]="true"; | ||
endpoint.device.tcp6port["22"]="true"; | ||
endpoint.device.tcp6port["631"]="true"; | ||
endpoint.device.tcp6port["445"]="true"; | ||
endpoint.device.MAC["FFFF.FFFF.FFFF"]="true"; | ||
endpoint.device.protection_extension="3.6.4900.2"; | ||
endpoint.fw["IPTablesFW"]={}; | ||
endpoint.fw["IPTablesFW"].exists="true"; | ||
endpoint.fw["IPTablesFW"].description="IPTables (Linux)"; | ||
endpoint.fw["IPTablesFW"].version="1.6.1"; | ||
endpoint.fw["IPTablesFW"].enabled="ok"; | ||
' | ||
shift | ||
|
||
TICKET= | ||
STUB=0 | ||
|
||
while [ "$1" ]; do | ||
if [ "$1" == "-ticket" ]; then shift; TICKET=${1//\"/}; fi | ||
if [ "$1" == "-stub" ]; then shift; STUB=${1//\"/}; fi | ||
shift | ||
done | ||
|
||
PINNEDPUBKEY="-s ${CSD_SHA256:+"-k --pinnedpubkey sha256//$CSD_SHA256"}" | ||
URL="https://$CSD_HOSTNAME/+CSCOE+/sdesktop/token.xml?ticket=$TICKET&stub=$STUB" | ||
COOKIE_HEADER="Cookie: sdesktop="$(curl $PINNEDPUBKEY -s "$URL" | xmlstarlet sel -t -v /hostscan/token) | ||
CONTENT_HEADER="Content-Type: text/xml" | ||
URL="https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1" | ||
curl $PINNEDPUBKEY -H "$CONTENT_HEADER" -H "$COOKIE_HEADER" --data "$DATA;type=text/xml" "$URL" |