+ endpoint = 'https://{}/{}'.format(args.server, if2prelogin[args.interface])
+ data = {'tmp':'tmp', 'kerberos-support':'yes', 'ipv6-support':'no', 'clientVer':4100, 'clientos':args.clientos, **args.extra}
+ if args.verbose:
+ print("Looking for SAML auth tags in response to %s..." % endpoint, file=stderr)
+ try:
+ res = s.post(endpoint, verify=args.verify, data=data)
+ except Exception as ex:
+ rootex = ex
+ while True:
+ if isinstance(rootex, ssl.SSLError):
+ break
+ elif not rootex.__cause__ and not rootex.__context__:
+ break
+ rootex = rootex.__cause__ or rootex.__context__
+ if isinstance(rootex, ssl.CertificateError):
+ p.error("SSL certificate error (try --no-verify to ignore): %s" % rootex)
+ elif isinstance(rootex, ssl.SSLError):
+ p.error("SSL error: %s" % rootex)
+ else:
+ raise
+ xml = ET.fromstring(res.content)
+ if xml.tag != 'prelogin-response':
+ p.error("This does not appear to be a GlobalProtect prelogin response\nCheck in browser: {}?{}".format(endpoint, urlencode(data)))
+ sam = xml.find('saml-auth-method')
+ sr = xml.find('saml-request')
+ if sam is None or sr is None:
+ p.error("{} prelogin response does not contain SAML tags (<saml-auth-method> or <saml-request> missing)\n\n"
+ "Things to try:\n"
+ "1) Spoof an officially supported OS (e.g. --clientos=Windows or --clientos=Mac)\n"
+ "2) Check in browser: {}?{}".format(args.interface.title(), endpoint, urlencode(data)))
+ sam = sam.text
+ sr = a2b_base64(sr.text).decode()
+ if sam == 'POST':
+ html, uri = sr, None
+ elif sam == 'REDIRECT':
+ uri, html = sr, None
+ else:
+ p.error("Unknown SAML method (%s)" % sam)
+
+ # launch external browser for debugging
+ if args.external:
+ print("Got SAML %s, opening external browser for debugging..." % sam, file=stderr)
+ import webbrowser
+ if html:
+ uri = 'data:text/html;base64,' + b2a_base64(html.encode()).decode()
+ webbrowser.open(uri)
+ raise SystemExit