transport

package
v0.0.0-...-9f2a897 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 12, 2025 License: MIT Imports: 49 Imported by: 0

Documentation

Overview

Support code for TLS camouflage using uTLS.

The goal is: provide an http.RoundTripper abstraction that retains the features of http.Transport (e.g., persistent connections and HTTP/2 support), while making TLS connections using uTLS in place of crypto/tls. The challenge is: while http.Transport provides a DialTLS hook, setting it to non-nil disables automatic HTTP/2 support in the client. Most of the uTLS fingerprints contain an ALPN extension containing "h2"; i.e., they declare support for HTTP/2. If the server also supports HTTP/2, then uTLS may negotiate an HTTP/2 connection without the http.Transport knowing it, which leads to an HTTP/1.1 client speaking to an HTTP/2 server, a protocol error.

The code here uses an idea adapted from meek_lite in obfs4proxy: https://gitlab.com/yawning/obfs4/commit/4d453dab2120082b00bf6e63ab4aaeeda6b8d8a3 Instead of setting DialTLS on an http.Transport and exposing it directly, we expose a wrapper type, UTLSRoundTripper, that contains within it either an http.Transport or an http2.Transport. The first time a caller calls RoundTrip on the wrapper, we initiate a uTLS connection (bootstrapConn), then peek at the ALPN-negotiated protocol: if "h2", create an internal http2.Transport; otherwise, create an internal http.Transport. In either case, set DialTLS on the created Transport to a function that dials using uTLS. As a special case, the first time the DialTLS callback is called, it reuses bootstrapConn (the one made to peek at the ALPN), rather than make a new connection.

Subsequent calls to RoundTripper on the wrapper just pass the requests though the previously created http.Transport or http2.Transport. We assume that in future RoundTrips, the ALPN-negotiated protocol will remain the same as it was in the initial RoundTrip. At this point it is the http.Transport or http2.Transport calling DialTLS, not us, so we can't dynamically swap the underlying transport based on the ALPN.

https://bugs.torproject.org/29077 https://github.com/refraction-networking/utls/issues/16

Index

Constants

View Source 
const (
	// WebRoot root path of APIs
	WebRoot = "emp3r0r"
	// CheckInAPI agent send POST to this API to report its system info
	CheckInAPI = WebRoot + "/checkin"
	// MsgAPI duplex tunnel between agent and cc
	MsgAPI = WebRoot + "/msg"
	// ReverseShellAPI duplex tunnel between agent and cc
	ReverseShellAPI = WebRoot + "/rshell"
	// PortMappingAPI proxy interface
	PortMappingAPI = WebRoot + "/proxy"
	// Upload2AgentAPI file transfer
	Upload2AgentAPI = WebRoot + "/ftp"
	// DownloadFile2AgentAPI host some files
	DownloadFile2AgentAPI = WebRoot + "/www"
	// Static hosting
	WWW = "/www/"

	// OperatorRoot root path of control APIs
	OperatorRoot = "operator"
	// OperatorMsgTunnel
	OperatorMsgTunnel = OperatorRoot + "/msg_tunnel"
	// OperatorSetActiveAgent
	OperatorSetActiveAgent = OperatorRoot + "/set_active_agent"
	// OperatorListConnectedAgents
	OperatorListConnectedAgents = OperatorRoot + "/list_connected_agents"
	// OperatorSendCommand
	OperatorSendCommand = OperatorRoot + "/send_command"
)
View Source 
const (
	TGT_UNIX = iota
	TGT_TCP
)
View Source 
const (
	// MicrosoftNCSIURL is the URL used by Microsoft to check internet connectivity
	MicrosoftNCSIURL  = "http://www.msftncsi.com/ncsi.txt"
	MicrosoftNCSIResp = "Microsoft NCSI"

	// UbuntuConnectivityURL is the URL used by Ubuntu to check internet connectivity
	UbuntuConnectivityURL = "https://connectivity-check.ubuntu.com"
	// UbuntuConnectivityResp will be empty with 204 status code
	UbuntuConnectivityResp = 204
)
View Source 
const SSAEADCipher = "AEAD_CHACHA20_POLY1305"

Variables

View Source 
var (
	CaCrtFile             string // Path to CA cert file
	CaKeyFile             string // Path to CA key file
	ServerCrtFile         string // Path to server cert file
	ServerKeyFile         string // Path to server key file
	ServerPubKey          string // PEM encoded server public key
	OperatorCaCrtFile     string // Path to operator CA cert file
	OperatorCaKeyFile     string // Path to operator CA key file
	OperatorServerCrtFile string // Path to operator cert file
	OperatorServerKeyFile string // Path to operator key file
	OperatorClientCrtFile string // operator client mTLS cert
	OperatorClientKeyFile string // operator client mTLS key
	EmpWorkSpace          string // Path to emp3r0r workspace
	CACrtPEM              []byte // CA cert in PEM format
)
View Source 
var (
	Stager_HTTP_Server http.Server
	Stager_Ctx         context.Context
	Stager_Cancel      context.CancelFunc
)
View Source 
var Flags struct {
	Client     string // client connect address or url
	Server     string // server listen address or url
	Cipher     string // AEAD_CHACHA20_POLY1305
	Key        string // base64url-encoded key (derive from password if empty)
	Password   string // shadowsocks password
	Keygen     int    // generate a base64url-encoded random key of given length in byte
	Socks      string // (client-only) SOCKS listen address
	RedirTCP   string // (client-only) redirect TCP from this address
	RedirTCP6  string // (client-only) redirect TCP IPv6 from this address
	TCPTun     string // (client-only) TCP tunnel (laddr1=raddr1,laddr2=raddr2,...)
	UDPTun     string // (client-only) UDP tunnel (laddr1=raddr1,laddr2=raddr2,...)
	UDPSocks   bool   // (client-only) UDP tunnel (laddr1=raddr1,laddr2=raddr2,...)
	UDP        bool   // (server-only) enable UDP support
	TCP        bool   // (server-only) enable TCP support
	Plugin     string // Enable SIP003 plugin. (e.g., v2ray-plugin)
	PluginOpts string // Set SIP003 plugin options. (e.g., "server;tls;host=mydomain.me")
}

shadowsocks config options

View Source 
var SSServerConfig struct {
	Verbose    bool
	UDPTimeout time.Duration
	TCPCork    bool // coalesce writing first few packets
}

controls ss server

Functions

func CreateEmp3r0rHTTPClient 

func CreateEmp3r0rHTTPClient(c2_addr, proxyServer string) *http.Client

CreateEmp3r0rHTTPClient add our CA to trusted CAs, while keeps TLS InsecureVerify on c2_addr: C2 address, only the hostname will be used proxyServer: proxy server URL, if empty, direct connection will be used

func ExtractCABundle 

func ExtractCABundle(ca_pem []byte) (*x509.CertPool, error)

ExtractCABundle extracts built-in Ubuntu CA bundle

func FwdToDport 

func FwdToDport(ctx context.Context, cancel context.CancelFunc,
	to, sessionID, protocol string, h2 *h2conn.Conn, timeout int,
)

FwdToDport forward request to agent-side destination, h2 <-> tcp/udp

func GenCerts 

func GenCerts(
	hosts []string,
	outcert string,
	outkey string,
	caKeyFile string,
	caCertFile string,
	isCA bool,
) ([]byte, error)

GenCerts generate a CA cert or a server cert signed by CA cert if isCA is true, the outfile will be a CA cert/key named as ca-cert.pem/ca-key.pem if isCA is false, the outfile will be named as is, for example, outfile-cert.pem, outfile-key.pem Returns public key bytes

func GenerateSSHKeyPair 

func GenerateSSHKeyPair() (privateKey, publicKey []byte, err error)

Generate a new key pair for use with openssh

func GetFingerprint 

func GetFingerprint(cert_file string) string

GetFingerprint return SHA256 fingerprint of a cert

func IPinCIDR 

func IPinCIDR(port, cidr string) (ips []string)

IPinCIDR all IPs in a CIDR

func IsProxyOK 

func IsProxyOK(proxy, test_url string) bool

IsProxyOK test if the proxy works against the test URL

func KCPTunClient 

func KCPTunClient(remote_kcp_addr, kcp_listen_port, password, salt string, ctx context.Context, cancel context.CancelFunc) error

main function for KCP tunneling using smux remote_kcp_addr: KCP server address (host:port) kcp_listen_port: KCP client listen port password: Runtime password salt: emp3r0r_def.MagicString

func KCPTunServer 

func KCPTunServer(target, kcp_server_port, password, salt string, ctx context.Context, cancel context.CancelFunc) error

target: target address (host:port) kcp_server_port: KCP server listen port password: Runtime password salt: emp3r0r_def.MagicString

func LoadCACrt 

func LoadCACrt() error

LoadCACrt load CA cert from file

func NamesInCert 

func NamesInCert(cert_file string) (names []string)

NamesInCert find domain names and IPs in server certificate

func NewUTLSRoundTripper 

func NewUTLSRoundTripper(name string, cfg *utls.Config, proxyURL *url.URL) (http.RoundTripper, error)

func ParseCertPemFile 

func ParseCertPemFile(cert_file string) (cert *x509.Certificate, err error)

ParseCertPemFile read from PEM file and return parsed cert

func ParseJSONConfig 

func ParseJSONConfig(config *Config, path string) error

func ParseKeyPemFile 

func ParseKeyPemFile(key_file string) (cert *ecdsa.PrivateKey, err error)

ParseKeyPemFile read from PEM file and return parsed cert

func ParsePem 

func ParsePem(data []byte) (*x509.Certificate, error)

func ParseSSURL 

func ParseSSURL(s string) (addr, cipher, password string, err error)

ParseSSURL parse ss:// URL, eg. ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488

func ProxyHTTP 

func ProxyHTTP(network, addr string, auth *proxy.Auth, forward proxy.Dialer) (*httpProxy, error)

func ProxyHTTPS 

func ProxyHTTPS(network, addr string, auth *proxy.Auth, forward proxy.Dialer, cfg *utls.Config, clientHelloID *utls.ClientHelloID) (*httpProxy, error)

func SSHPublicKey 

func SSHPublicKey(privkey []byte) (pubkey ssh.PublicKey, err error)

SSHPublicKey return ssh.PublicKey from PEM encoded private key

func SSHRemoteFwdClient 

func SSHRemoteFwdClient(ssh_serverAddr, password string,
	hostkey ssh.PublicKey,
	local_port int,
	conns *map[string]context.CancelFunc,
	ctx context.Context, cancel context.CancelFunc,
) (err error)

SSHRemoteFwdClient dial SSHRemoteFwdServer, forward local TCP port to remote server serverAddr format: 127.0.0.1:22 hostkey is the ssh server public key

func SSHRemoteFwdServer 

func SSHRemoteFwdServer(port, password string, hostkey []byte) (err error)

SSHRemoteFwdServer start a ssh proxy server that forward to client side TCP port port: binding port on server side, ssh client will try authentication with this port password: ssh client will try authentication with this password. We will always use RuntimeConfig.ShadowsocksPassword

func SSHReverseProxyClient 

func SSHReverseProxyClient(ssh_serverAddr string,
	password string,
	proxyPort int,
	reverseConns *map[string]context.CancelFunc,
	socks5proxy *socks5.Server,
	ctx context.Context, cancel context.CancelFunc,
) (err error)

SSHReverseProxyClient dial SSHProxyServer, start a reverse proxy serverAddr format: 127.0.0.1:22 FIXME: when using KCP, port number calculation is wrong

func SSMain 

func SSMain(ss_config *SSConfig) (err error)

Start shadowsocks server / client server_addr: addr of shadowsocks server socks_addr: addr of the local socks5 proxy started by shadowsocks client

func ServeFileHTTP 

func ServeFileHTTP(file_path, port string, ctx context.Context, cancel context.CancelFunc) (err error)

func SignECDSA 

func SignECDSA(message []byte, privateKey *ecdsa.PrivateKey) ([]byte, error)

SignECDSA sign a message with ECDSA private key

func SignWithCAKey 

func SignWithCAKey(data []byte) ([]byte, error)

SignWithCAKey signs the given data using the CA's private key

func StartSocks5Proxy 

func StartSocks5Proxy(addr, doh string, proxyserver *socks5.Server) (err error)

StartSocks5Proxy sock5 proxy server on agent, listening on addr

func TCPFwd 

func TCPFwd(addr, port string, ctx context.Context, cancel context.CancelFunc) (err error)

TCPFwd listen on a TCP port and forward to another TCP address addr: forward to this addr port: listen on this port

func TestConnectivity 

func TestConnectivity(test_url, proxy string) bool

TestConnectivity does this machine has internet access,

func VerifySignatureWithCA 

func VerifySignatureWithCA(data []byte, signature []byte) (bool, error)

VerifySignatureWithCA verifies the given signature against the data using the CA's public key

Types

type Config 

type Config struct {
	LocalAddr    string `json:"localaddr"`   // Local listen address, e.g., ":12948"
	Listen       string `json:"listen"`      // kcp server listen address, eg: "IP:29900" for a single port, "IP:minport-maxport"
	Target       string `json:"target"`      // target server address, or path/to/unix_socket
	RemoteAddr   string `json:"remoteaddr"`  // KCP server address, e.g., "vps:29900", can be a single port or port range "IP:minport-maxport"
	Key          string `json:"key"`         // Pre-shared secret between client and server, e.g., "it's a secret"
	Crypt        string `json:"crypt"`       // Encryption method, e.g., aes, aes-128, aes-192, salsa20, blowfish, twofish, etc.
	Mode         string `json:"mode"`        // Performance profile, e.g., fast, fast2, fast3, normal, or manual
	Conn         int    `json:"conn"`        // Number of UDP connections to the server
	AutoExpire   int    `json:"autoexpire"`  // Auto expiration time (in seconds) for a single UDP connection, 0 disables auto-expire
	ScavengeTTL  int    `json:"scavengettl"` // Time (in seconds) an expired connection can remain active before scavenging
	MTU          int    `json:"mtu"`         // Maximum Transmission Unit size for UDP packets
	SndWnd       int    `json:"sndwnd"`      // Send window size (number of packets)
	RcvWnd       int    `json:"rcvwnd"`      // Receive window size (number of packets)
	DataShard    int    `json:"datashard"`   // Number of data shards for Reed-Solomon erasure coding
	ParityShard  int    `json:"parityshard"` // Number of parity shards for Reed-Solomon erasure coding
	DSCP         int    `json:"dscp"`        // DSCP value for quality of service (QoS) marking (6-bit)
	NoComp       bool   `json:"nocomp"`      // Disable compression if set to true
	AckNodelay   bool   `json:"acknodelay"`  // Flush ACK immediately when a packet is received (reduces latency)
	NoDelay      int    `json:"nodelay"`     // KCP 'NoDelay' mode configuration (latency vs throughput trade-off)
	Interval     int    `json:"interval"`    // KCP update interval in milliseconds
	Resend       int    `json:"resend"`      // KCP resend parameter, controls packet retransmission
	NoCongestion int    `json:"nc"`          // Disable KCP congestion control (1 = disable, 0 = enable)
	SockBuf      int    `json:"sockbuf"`     // Per-socket buffer size (in bytes), e.g., 4194304
	SmuxVer      int    `json:"smuxver"`     // Smux version, either 1 or 2
	SmuxBuf      int    `json:"smuxbuf"`     // Overall de-mux buffer size (in bytes), e.g., 4194304
	StreamBuf    int    `json:"streambuf"`   // Per-stream receive buffer size (in bytes) for Smux v2+, e.g., 2097152
	KeepAlive    int    `json:"keepalive"`   // NAT keep-alive interval in seconds
	Log          string `json:"log"`         // Path to the log file, default is empty (logs to stderr)
	SnmpLog      string `json:"snmplog"`     // Path to collect SNMP logs, follows Go time format e.g., "./snmp-20060102.log"
	SnmpPeriod   int    `json:"snmpperiod"`  // SNMP collection period in seconds
	Quiet        bool   `json:"quiet"`       // Suppress 'stream open/close' messages if set to true
	TCP          bool   `json:"tcp"`         // Emulate a TCP connection (Linux only)
	Pprof        bool   `json:"pprof"`       // Enable a profiling server on port :6060 if set to true
	QPP          bool   `json:"qpp"`         // Enable Quantum Permutation Pads (QPP) for added encryption security
	QPPCount     int    `json:"qpp-count"`   // Number of pads to use for QPP (must be a prime number)
	CloseWait    int    `json:"closewait"`   // Time (in seconds) to wait before tearing down a connection
}

Config holds the client configuration for KCP tunneling.

func NewConfig 

func NewConfig(remote_addr, target, port, password, salt string) *Config

remote_addr: KCP server address (host) target: forward to this address, leave empty for client port: KCP listen port on client, server listen port on server

type SSConfig 

type SSConfig struct {
	ServerAddr     string // ss server address
	LocalSocksAddr string // ss client local socks address, leave empty to disable
	Cipher         string // ss cipher, AEAD_CHACHA20_POLY1305
	Password       string // ss password
	IsServer       bool   // is ss server or client or tunnel
	Verbose        bool   // verbose logging

	// Tunnels: eg. :8053=8.8.8.8:53,:8054=8.8.4.4:53
	// (client-only) tunnel (local_addr1=remote_addr1,local_addr2=remote_addr2,...)
	TCPTun string
	UDPTun string

	// used as switch
	Ctx    context.Context
	Cancel context.CancelFunc
}

SSConfig start ss server/client with this config

type UTLSDialer 

type UTLSDialer struct {
	// contains filtered or unexported fields
}

func (*UTLSDialer) Dial 

func (dialer *UTLSDialer) Dial(network, addr string) (net.Conn, error)

type UTLSRoundTripper 

type UTLSRoundTripper struct {
	sync.Mutex
	// contains filtered or unexported fields
}

A http.RoundTripper that uses uTLS (with a specified Client Hello ID) to make TLS connections.

Can only be reused among servers which negotiate the same ALPN.

func (*UTLSRoundTripper) RoundTrip 

func (rt *UTLSRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.