On a recent internal penetration test engagement, I was faced with using a Juniper VPN to access the target network. One small problem, Juniper does not formally support Linux operating systems. The Juniper Pulse and Pulse Secure clients are only available for Windows and OSX.
Since I didn’t have an OSX system I would have been forced to give up several tools that are extremely useful. I did a fair amount of searching and found several solutions to the problem. However, many were somewhat complex and had a time investment requirement that just didn’t make sense for my temporary access requirement.
In the end, I found the following post the most useful for successfully connecting.
Since, I was only connecting to this device on a temporary basis I just bypassed the Grease Monkey script and used a simple substitution. The process is outlined below.
First, install OpenConnect using your favorite package manager. In order to make this work, you have to be running OpenConnect v7.05 or later. Starting with v7.05, the OpenConnect client has the –jupiter switch included which provides “experimental” connectivity to Juniper VPN devices. Documentation for this switch is available at the following URL:
You won’t find this information or evidence of the switch in the man page or help for OpenConnect.
Next, you’ll need a cookie manager. To prepare for building your SSL Tunnel you’ll need to log onto the VPN web interface. This will place the DSID session cookie into your browser cookie storage. Once it is there, we will grab the value and pass it to OpenConnect on the command line in order to complete authentication. For this purpose, I just used Cookies Manager+ which I keep installed for web application penetration test engagements.
The Full Process
Now that all of the prerequisites have been met, we’ll log into the Juniper Web Interface. Log in using your user account, pin, and token value. Your pin is set up when you first access the VPN web interface. The passcode seen below is your pin and current two factor token value concatenated in that order.
After successfully authenticating to the web interface, your browser will have multiple cookies set for the Juniper site. Open your cookie manager to review them. One of these cookie values has the name DSID. This value is necessary to complete the authentication process. Copy the value into your clipboard.
Next, open a root shell and execute the following command to establish an SSL VPN tunnel with the target VPN concentrator.
After executing this command, you should see output similar to the following indicating the progress of the negotiation process.
Voila…successful tunnel negotiation with a Juniper SSL VPN concentrator and nearly zero overhead.