Pulse Secure VPN Gateway 连接VM远程桌面过程分析:
PulseSecure会先下载App并安装到客户机,安装后会注册 PulseSecure:// 协议,该协议启动程序为 PulseApplicationLauncher.exe。
当用户在网页打开时,会先运行 dscheck 检查客户机是否使用了代理,如果使用了代理如Fiddler,会提示不安全拒绝连接否则正常登录网关;
当用户点击网页上的资源时,会生成一个base64编码的pulsesecure:// URL,例如:
pulsesecure://LUFwcElkICJ3dHMiIC1BcHBBY3Rpb24gIlN0YXJ0IiAtTGF1bmNoUGFyYW1zVVJMICIvZGFuYS9o
b21lL3BzYWxwYXJhbXMuY2dpP2FtPXd0cyZwYXJhbXM9Y205M1BUQjVaWE11Y21WemIzVnlZMlZm
TVRZek5EVTBPVE0zT1M0MU16WTRORGN1TWlacGJtUmxlRDB3Sm5CbGNtMDllV1Z6IiAtU2VydmVy
VG9rZW5zICJEU0FQUExhdW5jaFRva2VuPTE4ZDUyNDM5N2QxNTY1MGQ0ZDg5NTU2OTE0N2FmNGEz
O0RTU2lnbkluVVJMPTsiIC1Ib3N0ICJ3d3cuYWJjLmNvbSIgLVNydkNlcnRNZDUgImRhMTdlMmRh
OTUwOTAyYmMxOTQ1ZDdhNDRjNTlhM2MyIiAtVXNlckFnZW50ICJNb3ppbGxhLzUuMCAoV2luZG93
cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdl
Y2tvKSBDaHJvbWUvMTIzLjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyMy4wLjAuMCIgLUxvY2Fs
ZSAiemgtY24iIC1TZXJ2ZXJWZXJzaW9uICI5LjEuMjUyNSIgLVRpbWVTdGFtcCAiMTcxMjgxNTk2
ODUxNiIK
其对应的内容为:
-AppId "wts" -AppAction "Start" -LaunchParamsURL "/dana/home/psalparams.cgi?am=wts¶ms=cm93PTB5ZXMucmVzb3VyY2VfMTYzNDU0OTM3OS41MzY4NDcuMiZpbmRleD0wJnBlcm09eWVz" -ServerTokens "DSAPPLaunchToken=18d524397d15650d4d895569147af4a3;DSSignInURL=;" -Host "www.abc.com" -SrvCertMd5 "da17e2da950902bc1945d7a44c59a3c2" -UserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0" -Locale "zh-cn" -ServerVersion "9.1.2525" -TimeStamp "1712815968516"
其中 cm93PTB5ZXMucmVzb3VyY2VfMTYzNDU0OTM3OS41MzY4NDcuMiZpbmRleD0wJnBlcm09eWVz 对应的内容为 row=0yes.resource_1634549379.536847.2&index=0&perm=yes
PulseApplicationLauncher收到Base64内容后,会向服务器根据响应的参数请求真正的连接文件 rdp,然后启动 dsterm.exe 连接对应的服务器(这一部分的分析暂未完成,待续……)。