undefined | Better HN

0 pointsolyjohn4y ago0 comments

Even the ones that "security scan" like Cisco Secure Mobility Client still use just a cookie to authenticate you and standard protocols for the VPN itself. You can usually log into the web portal, snag the cookie, and then place it into something like OpenConnect. The server side just looks for an "okay" from whatever application was used to run the scan. This can be easily fooled by OpenConnect, assuming you know what response it's looking for.

0 comments

1 comments · 1 top-level

tyingq4y ago

>"easily fooled"

I've done it, and it's not easy, though it does work. To make it work in my environment, I had to use a golang proxy and a fair amount of messing around with certificates to see what all it's looking for. It's more than a cookie...it's a form post with keys/values that vary based on whatever the local vpn people decided.

See https://github.com/Gilks/hostscan-bypass for details.

j / k navigate · click thread line to collapse