TrueJournals

For a while, Cisco Clean Access on Windows has bothered the heck out of me.  The client for CCA on windows is just plain buggy.  It takes forever to open, prompts me to let it run as admin every time I boot into Windows, doesn’t let me use the Internet until I update Windows (which sometimes requires a reboot first), and sometimes just doesn’t work.  However, I’ve only recently decided to investigate more, and figure out how to get past it.

The idea is simple: on a machine running Linux, everything is done through a web interface.  This makes it simple to create a script to get through Clean Access.  However, on Windows, while this web interface is presented, it simply tells you to download the client.  The obvious method of bypassing this, changing the User Agent of your browser, doesn’t work: Clean Access has other methods of detecting that you’re running Windows, using TCP fingerprinting.  Basically, Cisco has figured out certain commands they can send over the network, and exactly how a Windows machine will respond.  So, the answer becomes to change these responses.

It turns out that this can be done using something called sec_cloak.  This is, really, a security tool: it prevents people on the network from detecting which Operating System you’re running.  If people can’t tell you’re running Windows, they can’t attack you with TCP attacks that work against Windows, so they’ll try those that your computer is masked to.  For our purposes, we can mask the computer to Linux.  To do this, sec_cloak changes some magic values in the registry.  That’s about where my technical knowledge of sec_cloak ends.  How someone found these values, and why changing them does what it does, I’m not sure about.  For our purposes, though, that’s really not very important.  The important part is that now, the network can’t tell which OS you’re running.

However, this is STILL not enough.  The web interface has some sneaky tricks to keep trying to detect which operating system you’re running.  So, we need to fool it more.  The web interface has a couple methods: it checks your User Agent, and has some javascript to attempt to detect if you’re running Windows.  So, we now have the magic combination: sec_cloak to Linux, change the User Agent to a Linux one, and disable javascript in the browser.

Luckily, sec_cloak only needs to be applied once.  However, the login still needs to be done every time, and part of the pain with Cisco’s Clean Access Client was that I needed to type in my username and password every time I booted my computer up.  So, my next step was to create an application.  After a good couple hours of coding, I have an application that will apply the sec_cloak fix, save login credentials, and go through the login pages automatically.  It still requires a bit of user interaction: clicking the “login” button, but I’m working on cutting this out, and having the only interaction be setting up everything.

Note that cca-bypass should still be considered beta.  That is, it seems stable enough in my small testing to work most of the time, but you shouldn’t be surprised if something funky happens.  This application does absolutely no error catching, so don’t be surprised if it just crashes and doesn’t log you in.  If cca-bypass doesn’t work to log you in, you can still use the Clean Access Client to login to the network, without damaging the sec_cloak fix.

cca-bypass stores your username and password encrypted, however, I’m not going to claim that the encryption is perfect/can’t be broken.  Be careful who gets hold of your files.  The encryption is done using a password which is different in the pre-compiled version than it is in the open-source version, to remove the obviousness of that security hole.

I have personally tested cca-bypass on Windows 7.  However, I have also tested the same fix on Vista, and I have reports that the fix should work on XP.  I will try to do more testing to confirm that everything works on XP and Vista.

Pre-compiled binary: http://truejournals.com/wp-content/uploads/2009/12/cca-bypass-0.1-binary.zip

Source: http://truejournals.com/wp-content/uploads/2009/12/cca-bypass-0.1-source.zip

If you have any questions/comments/suggestions, please leave a comment!