collective/nu-vpn-proxy
17
0
Fork 0
Code
master
nu-vpn-proxy/hipreport-modified.sh
Benjamin Mako Hill c3af198d87 updated the proxy code to make it work based on other bitrot 
- hipreport: updated the client version to match new globalconnect code
- hipreport: update linux kernel version to something more modern
- disable ESP and IPv6 which seem to be working poorly
- change code in ssh wrapper for no ESP
2025-03-09 23:13:18 -07:00

151 lines
4.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
# openconnect will call this script with the follow command-line
# arguments, which are needed to populate the contents of the
# HIP report:
#
# --cookie: a URL-encoded string, as output by openconnect
# --authenticate --protocol=gp, which includes parameters
# from the /ssl-vpn/login.esp response
#
# --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect
# VPN for this client (included in
# /ssl-vpn/getconfig.esp response)
#
# --md5: The md5 digest to encode into this HIP report. I'm not sure
# exactly what this is the md5 digest *of*, but all that
# really matters is that the value in the HIP report
# submission should match the value in the HIP report check.
#
# This hipreport.sh does not work as-is on Android. The large here-doc
# (cat <<EOF) does not appear to work with Android's /system/bin/sh,
# likely due to an insufficient read buffer size.
# Try hipreport-android.sh instead.
# Read command line arguments into variables
COOKIE=
IP=
IPv6=
MD5=
while [ "$1" ]; do
if [ "$1" = "--cookie" ]; then shift; COOKIE="$1"; fi
if [ "$1" = "--client-ip" ]; then shift; IP="$1"; fi
if [ "$1" = "--client-ipv6" ]; then shift; IPV6="$1"; fi
if [ "$1" = "--md5" ]; then shift; MD5="$1"; fi
shift
done
if [ -z "$COOKIE" -o -z "$MD5" -o -z "$IP$IPV6" ]; then
echo "Parameters --cookie, --md5, and --client-ip and/or --client-ipv6 are required" >&2
exit 1;
fi
# Extract username and domain and computer from cookie
USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')
# Timestamp in the format expected by GlobalProtect server
NOW=$(date +'%m/%d/%Y %H:%M:%S')
DAY=$(date +'%d')
MONTH=$(date +'%m')
YEAR=$(date +'%Y')
# This value may need to be extracted from the official HIP report, if a made-up value is not accepted.
HOSTID="D52047CC-33AF-11B2-A85C-89044BD0C4D8"
cat <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<md5-sum>$MD5</md5-sum>
<user-name>$USER</user-name>
<domain>$USER</domain>
<host-name>$COMPUTER</host-name>
<host-id>$HOSTID</host-id>
<ip-address>$IP</ip-address>
<ipv6-address>$IPV6</ipv6-address>
<generate-time>$NOW</generate-time>
<categories>
<entry name="host-info">
<client-version>6.3.0-33</client-version>
<os>Linux 6.1.0-31-amd64</os>
<os-vendor>Linux</os-vendor>
<domain>domain.com</domain>
<host-name>spes</host-name>
<host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
<network-interface>
<entry name="pan1">
<description>pan1</description>
<mac-address>42:4e:62:fe:ef:87</mac-address>
<ip-address>
<entry name="$IP"/>
</ip-address>
<ipv6-address>
<entry name="$IPV6"/>
</ipv6-address>
</entry>
</network-interface>
</entry>
</categories>
</hip-report><?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<md5-sum>$MD5</md5-sum>
<user-name>$USER</user-name>
<domain>$USER</domain>
<host-name>$COMPUTER</host-name>
<host-id>$HOSTID</host-id>
<ip-address>$IP</ip-address>
<ipv6-address>$IPV6</ipv6-address>
<generate-time>$NOW</generate-time>
<hip-report-version>4</hip-report-version>
<categories>
<entry name="host-info">
<client-version>6.3.0-33</client-version>
<os>Linux 6.1.0-31-amd64</os>
<os-vendor>Linux</os-vendor>
<domain>domain.com</domain>
<host-name>spes</host-name>
<host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
<network-interface>
<entry name="pan1">
<description>pan1</description>
<mac-address>42:4e:62:fe:ef:87</mac-address>
<ip-address>
<entry name="$IP"/>
</ip-address>
<ipv6-address>
<entry name="$IPV6"/>
</ipv6-address>
</entry>
</network-interface>
</entry>
<entry name="anti-malware">
<list>
</list>
</entry>
<entry name="disk-backup">
<list>
</list>
</entry>
<entry name="disk-encryption">
<list>
</list>
</entry>
<entry name="firewall">
<list>
</list>
</entry>
<entry name="patch-management">
<list>
</list>
</entry>
<entry name="data-loss-prevention">
<list>
</list>
</entry>
</categories>
</hip-report>
EOF
View Git Blame Copy Permalink