Fully connecting via terminal skipping the WebUI

[BlasterJoni]

From what I gather after looking at multiple projects that interact with Checkpoint's VPN, the snx binary has various undocumented ways of being used to establish a connection without making use of the WebUI.

Here's a list of some of the methods I found in other projects:

• Login information as arguments to snx: https://github.com/ananni13/docker-snx-checkpoint-vpn
• Undocumented -Z flag in the snx binary that opens a TCP connection where snx expects connection info in binary blobs: https://github.com/schlatterbeck/snxvpn
• Using a .snxrc config file: https://github.com/klimuts/snx-client

Thought I would bring these to your attention, and open a discussion about it, as it might be a cool addition to the script.

[BlasterJoni]

Just noticed you're the one answering in some of the stack exchange questions I was looking at about this, so... I guess you are already aware of this xD

[ruyrybeyro]

SNX is indeed a "regular" binary program/daemon/utility that supports command Linux options and a configuration file. It is/was officially documented, though it is invisible for the normal user when dealing with the web Mobile Access Portal.

Check Point's Linux SNX
build 800008304
usage: snx -s <server> {-u <user>|-c <certfile>} [-l <ca dir>] [-p <port>] [-r] [-g]
                                run SNX using given arguments
       snx -f <cf>              run the snx using configuration file
       snx                      run the snx using the ~/.snxrc

       snx -d                   disconnect a running SNX daemon

        -s <server>           connect to server <server>
        -u <user>             use the username <user>
        -c <certfile>         use the certificate file <certfile>
        -l <ca dir>           get trusted ca's from <ca dir>
        -p <port>             connect using port <port>
        -g                    enable debugging

Afaik both CShell (and snxvpn) create sockets to pipe data from CShell to snx using the undocumented -Z switch.

.snxrc used to be useful when there was a special SNX version from CheckPoint that could double as a pure command line daemon, with no need for the web portal, X11/xorg and Java. That SNX 800007075 version only supported SSLv3, was (ab)used for many years, and unfortunately was obsoleted as soon the new CheckPoint VPNs started using TLS.

As for snxvpn it is an interesting reversing engineering effort of the CheckPoint VPN protocol negotiation - e.g. a command line drop-in replacement for web port+CShell, no need for xorg, Firefox and Java. However, I believe, and I can be wrong, there are some intentional changes to try to thwart similar efforts, from inspecting user agent strings to (probably) checking SNX/CShells versions (not sure of the latter point). snxvpn python3 full setup is a bit problematic also. Nonetheless, even after using https://github.com/agnis-mateuss/snxvpn and applying a pull request from the main schlatterbeck repo for dealing with the new user agent check, there still seems to be something broken.

Btw, there is a "new" python3 snxvpn. I am installing it with:

pip install snxvpn-fix

and running as:

snxconnect -H vpnxxxx.xxx -U xxxx  -p https -F Login/Login -E SNX/extender

But still running into problems, maybe because we have an authentication PIN; it might work for you.

Also, any efforts to drive the web Portal directly (Selenium maybe?) probably need to be done running in the foreground via xorg. CShell or SNX via CShell display error messages via X11 on top of the web browser and not via the web browser. I suspect an headless setup as in SNX 800007075 or snxvpn is not possible without taking the Web Portal+CShell(?) out of the equation, or maybe not - while it does not look like so, the current SNX might support text as in the past, and have tried to use a needlessly contrived setup of a remote headless chrome without success.

Coming back to .snxrc, the VPN portal+Java CShell daemon+SNX is apparently the client that we have nowadays, and at applicational level we need to login on using the web VPN Portal. I suspect .snxrc not being that useful whilst we keep using the Web portal+Cshell as the CheckPoint endorsed wrapper for snx.

The current SSL Network Extender/SNX binary seems to be able to authenticate (and open the tunnel?) when invoked from the command line, however unlike the obsolete special build 800007075 , is not able to authenticate paste the "new" user agent verification on its own and much less keep the tunnel open for as long as it is needed. It would be interesting understanding what made the snx build 800007075 different (more client glue logic). The docker image(s) floating around are only a containerised SNX 800007075 and don't bring anything new. I suspect such is the case for the klimuts repo too.

From sk115242 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115242&partition=Advanced&product=SSL

"The SNX CLI mode in Linux OS feature is not included in the product. Consequently, if you want to use a newer SNX build for Linux CLI implementation, you need to submit a [Request for Enhancement]"

Nevertheless, snxvpn might be a relic from the past where what we know today as the CShell Java daemon was a browser applet; nowadays it could be easier just replicating the functionality of the Web Portal.