abrasive
Support of the two-factor authentication
Hello ! New job new vpn, and I was asked to use netExtender.
While trying to keep my machine clean from this closed source stuff, I discovered you project.
I am testing it, but actually I need a was to provide the two-factor authentication, here what I get:
└─> nxBender --server ssl1.client.com -u gseren -p 'pass' -d 2fa.client.com --debug
INFO Logging in...
DEBUG Starting new HTTPS connection (1): ssl1.client.com:443
send: b'POST /cgi-bin/userLogin HTTP/1.1\r\nHost: ssl1.client.com\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nX-NE-SESSIONPROMPT: true\r\nContent-Length: 78\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n'
send: b'username=gseren&password=pass&domain=2fa.client.com&login=true'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Wed, 15 Jul 2020 11:09:48 GMT
header: Server: SonicWALL SSL-VPN Web Server
header: X-NE-tf: 1
header: X-NE-message: Get a verification code from the two-factor authentication app and verify your identity
header: MC-bookmarks: 3
header: Set-Cookie: swap=MGZzRm5ZdzBLR3c4WVZtMEltaU1NYUl3M2kjkjkjkjkxNeFBiS0xwS3VhST0=; path=/; secure; HttpOnly
header: X-FRAME-OPTIONS: SAMEORIGIN
header: X-XSS-Protection: 1; mode=block
header: Content-Security-Policy: script-src https://*.duosecurity.com 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; style-src 'self' 'unsafe-inline'
header: Referrer-Policy: strict-origin
header: X-Content-Type-Options: nosniff
header: Transfer-Encoding: chunked
header: Content-Type: text/html; charset=UTF-8
DEBUG https://ssl1.client.com:443 "POST /cgi-bin/userLogin HTTP/1.1" 200 None
Traceback (most recent call last):
File "/home/gseren/.local/bin/nxBender", line 8, in <module>
sys.exit(main())
File "/home/gseren/.local/lib/python3.7/site-packages/nxbender/__init__.py", line 67, in main
sess.run()
File "/home/gseren/.local/lib/python3.7/site-packages/nxbender/nx.py", line 48, in run
self.options.domain
File "/home/gseren/.local/lib/python3.7/site-packages/nxbender/nx.py", line 73, in login
raise IOError('Server returned error: %s' % error)
OSError: Server returned error: Get a verification code from the two-factor authentication app and verify your identity
I think it should be possible to catch this error, and ask (or provide it by an argument) the two-factor pin, what do you think ?
Hey, I think the header that say need a 2fa are
header: X-NE-tf: 1
header: X-NE-message: Get a verification code from the two-factor authentication app and verify your identity
Can someone using this witout 2fa confirm ?
Hi Guillaume! I'm sorry I didn't have time to look at this before now. Are you still using the same VPN?
I just added support for my organisation's 2fa, but they use a different method (X-NE-tf: 5).
I used mitmproxy with the official client to work out how the new flow works, can you do the same? I ran mitmproxy like so:
mitmproxy --mode reverse:https://vpn.myemployer.net
Then connected using the client like so:
./netExtender -u myusername -d mydomain localhost:8080
Yes your way through the untrusted certificate warning and you'll get a trace of the requests needed to get logged in.
Hey @abrasive no I am not working with this company anymore so I can't test this, but that a good news you added the support, thank you !