forked from dlenski/openconnect
-
Notifications
You must be signed in to change notification settings - Fork 1
/
globalprotect-challenge-login.py
executable file
·96 lines (83 loc) · 3.13 KB
/
globalprotect-challenge-login.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/python
from __future__ import print_function
try:
import http.client as http_client
except ImportError:
# Python 2
import httplib as http_client
input = raw_input
import requests
import argparse
import getpass
import os, re
import xml.etree.ElementTree as ET
from sys import stderr
p = argparse.ArgumentParser()
p.add_argument('-v','--verbose', default=0, action='count')
p.add_argument('gateway', help='Hostname of GlobalProtect gateway')
g = p.add_argument_group('Login credentials')
g.add_argument('-u', '--user', help='Username (will prompt if unspecified)')
g.add_argument('-p', '--password', help='Password (will prompt if unspecified)')
g.add_argument('--cert', help='PEM file containing client certificate (and optionally private key)')
g.add_argument('--key', help='PEM file containing client private key (if not included in same file as certificate)')
g.add_argument('--no-verify', dest='verify', action='store_false', default=True, help='Ignore invalid server certificate')
args = p.parse_args()
if args.cert and args.key:
cert = (args.cert, args.key)
elif args.cert:
cert = (args.cert)
elif args.key:
p.error('--key specified without --cert')
else:
cert = None
s = requests.Session()
s.headers['User-Agent'] = 'PAN GlobalProtect'
s.cert = cert
if args.verbose:
http_client.HTTPConnection.debuglevel = 1
user, password, inputStr = args.user, args.password, ''
login = 'https://{}/ssl-vpn/login.esp'.format(args.gateway)
hostname = os.uname()[1]
jnlp = None
while True:
if not user:
user = input('Username: ')
if not password:
password = getpass.getpass('Password: ')
print("Posting login request to: %s" % login)
form = dict(user=user, passwd=password, inputStr=inputStr,
jnlpReady='jnlpReady', ok='Login', direct='yes', # required
clientVer=4100, server=args.gateway, prot='https:', computer=hostname # optional but might affect behavior
)
res = s.post(login, form, verify=args.verify)
unknown = False
if res.headers['Content-Type']=='text/html':
# parse JavaScript-y bits
m = re.match(r'''\n*var respStatus = "(.*)";\nvar respMsg = "(.*)";\n*thisForm.inputStr.value = "(.*)";\n*''', res.text)
if m:
respStatus, respMsg, value = m.groups()
if respStatus=='Challenge':
print('=> Challenge with inputStr=%r: %s' % (value, respMsg))
password = None
inputStr = value
else:
print('=> %s with inputStr=%r: %s' % (respStatus, inputStr, respMsg))
break
else:
unknown = True
elif res.status_code == 200:
print('=> Success')
jnlp = res.text
break
else:
unknown = True
if unknown:
print('Got unknown response: %r', res.text)
res.raise_for_status()
if jnlp:
jnlp = [x.text for x in ET.fromstring(jnlp).findall('.//argument')]
authcookie = 'user={4}&authcookie={1}&portal={3}&domain={7}'.format(*jnlp)
print('''
Start openconnect with:
openconnect --protocol=gp %s --cookie "%s"
''' % (args.gateway, authcookie), file=stderr)