Intshayelelo
Kwinxalenye yokuqala Sinike inkcazo emfutshane yendlela efihliweyo ye-SNI (eSNI). Babonise indlela, ngokusekelwe kuyo, kunokwenzeka ukuba uphephe ukubhaqwa kweenkqubo zeDPI zanamhlanje (usebenzisa umzekelo we-Beeline DPI kunye ne-RKN evaliweyo ingcambu ye-root tracker), kwaye iphinde ihlolisise inguqu entsha ye-domain fronting esekelwe kule ndlela.
Kwinxalenye yesibini yenqaku, siya kuqhubela phambili kwizinto ezisebenzayo eziya kuba luncedo kwiingcali zeRedTeam kumsebenzi wabo onzima. Ekugqibeleni, injongo yethu ayikukufumana ukufikelela kwizixhobo ezivaliweyo (kwizinto ezincinci ezinjalo sineVPN endala). Ngethamsanqa, kukho uluhlu olukhulu lwababoneleli beVPN, njengoko bethetha, kuyo yonke incasa, umbala kunye nohlahlo lwabiwo-mali.
Siza kuzama ukusebenzisa i-domain-fronting mechanism kwizixhobo zanamhlanje ze-RedTeam, umzekelo, ezifana ne-Cobalt Strike, i-Empire, njl.
Ngexesha lokugqibela siphumeze indlela ye-eSNI kwithala leencwadi le-OpenSSL kwaye sayisebenzisa ngempumelelo kwinto eqhelekileyo ye-curl. Kodwa, njengoko bethetha, awuyi kwaneliseka ngenkukhu enye. Ngokuqinisekileyo, ndingathanda ukuphumeza into efanayo kwiilwimi eziphezulu. Kodwa, ngelishwa, ukukhangela okukhawulezayo kwi-Intanethi kuyasidanisa, kuba inkxaso yendlela ye-eSNI iphunyezwe ngokupheleleyo kuphela kwiGOLANG. Ke, asinalo ukhetho oluninzi: nokuba sibhala kwiC ecocekileyo okanye i-C ++ sisebenzisa ithala leencwadi le-OpenSSL ecoliweyo, okanye sisebenzisa ifolokhwe yeGOLANG eyahlukileyo ukusuka kwi-CloudFlare kwaye sizame ukufaka izixhobo zethu apho. Ngokomgaqo, kukho enye inketho, i-classical, kodwa kwangaxeshanye ichitha ixesha - ukuphumeza inkxaso ye-eSNI yePython. Emva kwayo yonke loo nto, iPython ikwasebenzisa i-OpenSSL ukuphatha i-https. Kodwa siya kushiya olu khetho lokuphuhliswa ngomnye umntu, kwaye thina ngokwethu siya kuneliseka ngokuphunyezwa eGolang, ngakumbi ekubeni i-Cobalt Strike yethu ethandekayo ikwazi ngokugqibeleleyo ukusebenza kunye nejelo lonxibelelwano elakhiwe ngezixhobo zeqela lesithathu (Ishaneli ye-C2 yangaphandle) - siza kuthetha ngale nto ekupheleni kwenqaku.
Zama Kakhulu...
Esinye sezixhobo eziphunyeziweyo kwiGo kuphuhliso lwethu lokungena kuthungelwano-itonela , leyo, ngendlela, ngoku ifunyenwe zizixhobo ezivela kwiMicrosoft kunye ne-Symantec njenge-software enobungozi kakhulu ejoliswe ukuphazamisa uzinzo lwehlabathi ...
Kuya kuba kuhle ukusebenzisa uphuhliso lwangaphambili kule meko. Kodwa apha kuvela ingxaki encinci. Inyani kukuba ekuqaleni i-rsockstun ithetha ukusetyenziswa kwejelo lonxibelelwano le-SSL elihambelanayo kunye nomncedisi. Oku kuthetha ukuba unxibelelwano lusekwe kube kanye kwaye lukhona ngalo lonke ixesha lokusebenza kwetonela. Kwaye, njengoko uqonda, i-https protocol ayijoliswanga kule ndlela yokusebenza - isebenza kwimo yesicelo-impendulo, apho isicelo ngasinye se-http sikhona ngaphakathi koqhagamshelwano olutsha lwe-tcp.
Eyona nto ingalunganga yesi sikimu kukuba umncedisi akakwazi ukudlulisela idatha kumxhasi de umxhasi athumele isicelo esitsha se-http. Kodwa, ngethamsanqa, kukho iindlela ezininzi zokusombulula le ngxaki-ukusasaza idatha nge-http protocol (emva kwayo yonke loo nto, siyakwazi ukubukela imiboniso bhanyabhanya yethu esiyithandayo kwaye simamele umculo ovela kwii-portal ezisebenza kwi-https, kodwa ukusasaza ividiyo kunye neaudio ayikho enye into. kunedatha yostrimisho). Enye yetekhnoloji yokulinganisa ukusebenza koqhagamshelo olupheleleyo lwe-TCP ngaphezulu kweprotocol ye-HTTP yitekhnoloji yeWebSockets, eyona nto iphambili kukuququzelela uqhagamshelo olupheleleyo lwenethiwekhi phakathi komxhasi kunye nomncedisi weWebhu.
Ngethamsanqa kuthi (hooray !!!), le teknoloji ifakwe ngokungagqibekanga kuzo zonke izicwangciso zentlawulo ze-CloudFlare kwaye isebenza kakuhle ngokudibanisa ne-eSNI. Yile nto kanye esiza kuyisebenzisa ukufundisa i-tunnel yethu ukusebenzisa i-domain-fronting kunye nokufihla kwiiDPI zanamhlanje.
Kancinci malunga neWebSockets
Okokuqala, siza kuthetha ngokufutshane nangamagama alula malunga nee-websockets ukuze wonke umntu abe nombono wento esiza kusebenza nayo.
Itekhnoloji yeWebsocket ikuvumela ukuba utshintshe okwethutyana ukusuka kuqhagamshelo lwe-http ukuya kuthungelwano oluqhelekileyo lwesokhethi yenethiwekhi ngaphandle kokwaphula uqhagamshelo olusekiweyo lweTCP. Xa umxhasi efuna ukutshintshela kwi-websocket, icwangcisa iiheader ezininzi ze-http kwisicelo sayo se-http. Iiheader ezimbini ezifunekayo - Uqhagamshelwano: Phucula и Uphuculo: websocket. Uyakwazi ukukhankanya ngamandla uguqulelo lweprotocol yewebhu (I-Sec-Websockset-Version: 13) kunye nento efana nesazisi se-base64 sewebhu (I-Sec-WebSocket-Key: DAGDJSiREI3+KjDfwxm1FA==). Umncedisi uphendula kuye ngekhowudi ye-http ye-101 Ukutshintsha iiProtocols kwaye ikwaseta iiheader Uqhagamshelwano, uPhuculo и I-Sec-WebSocket-Yamkela. Inkqubo yokutshintsha iboniswe ngokucacileyo kwiskrini esingezantsi:
Emva koku, ukufakela uqhagamshelo lweWebSocket kunokuqwalaselwa kugqityiwe. Nayiphi na idatha evela kumxhasi kunye nomncedisi ngoku ayizukunikezelwa nge-http, kodwa ngeentloko zeWebSocket (ziqala nge-byte 0x82). Ngoku umncedisi akadingeki ukuba alinde isicelo esivela kumxhasi ukudlulisa idatha, kuba Umdibaniso we-tcp awophukanga.
IGolang inamathala eencwadi aliqela okusebenza ngeesokethi zewebhu. Ezona zidumileyo kubo kunye nomgangatho . Siza kusebenzisa le yokugqibela, kuba... ilula, incinci kwaye, njengoko besithi, isebenza ngokukhawuleza kancinci.
Kwikhowudi yomxhasi we-rsockstun, kufuneka sibuyisele i-net.dial okanye i-tls.dial iminxeba ngeminxeba ehambelanayo yeWebSocket:
Sifuna ukwenza umxhasi ube yinxalenye yetonela yethu jikelele kwaye ekwazi ukusebenza zombini ngoqhagamshelo oluthe ngqo lwe-SSL kunye ne-WebSockset protocol. Kule nto siza kudala umsebenzi owahlukileyo func connectForWsSocks(umtya wedilesi, umtya weproxy) impazamo {...} ngokuthelekisa ne connectForSocks() kwaye siya kuyisebenzisa ukusebenza nge sokethi zewebhu ukuba idilesi yomncedisi ekhankanyiweyo xa uqalwa umxhasi iqala nge ws: okanye wss: (kwimeko ye Secure WebSocket).
Kwicala lomncedisi wetonela, siya kwenza umsebenzi owahlukileyo wokusebenza kunye neesokethi zewebhu. Iyakwenza umzekelo weklasi ye-http kwaye usete isibambi soqhagamshelo lwe-http (umsebenzi we-wsHandler):
Kwaye siya kubeka yonke ingqiqo yokucwangcisa unxibelelwano (ugunyaziso lomxhasi usebenzisa igama eligqithisiweyo, ukuseta kunye nokuphelisa iseshoni yeyamux) kwisibambi soqhagamshelo lweWebSocket:
Siqulunqa iprojekthi kwaye siqalise inxalenye yeseva:
./rsockstun –listen ws:127.0.0.1:8080 –pass P@ssw0rdKwaye ke inxalenye yomthengi:
./rsockstun -connect ws:127.0.0.1:8080 –pass P@ssw0rdKwaye sijonga umsebenzi kumamkeli wendawo:
Masiqhubele phambili kwi-domain fronting
Kubonakala ngathi sifumene ii-websockets. Ngoku masiye ngqo kwi-eSNI kunye ne-domain fronting. Njengoko bekutshiwo ngaphambili, ukusebenzisana ne-DoH kunye ne-eSNI kufuneka sithathe isebe elikhethekileyo le-golang kwinkampani . Sifuna isebe elinenkxaso ye-eSNI (pwu/esni).
Siyilinganisa ekuhlaleni okanye sikhuphele kwaye singacinezeli i-zip ehambelana nayo:
git clone -b pwu/esni https://github.com/cloudflare/tls-tris.gitEmva koko kufuneka sikopishe i-GOROOT directory, sitshintshe iifayile ezihambelanayo kwisebe elidibeneyo kwaye liyibeke njengenkosi. Ukugcina umphuhlisi kule ntloko, abafana abavela kwi-CloudFlare balungiselele iskripthi esikhethekileyo - _dev/go.sh. Siyiphehlelela nje. Iskripthi kunye ne-makefile siya kwenza yonke into ngokwazo. Ukuzonwabisa nje, unokukhangela ngaphakathi kwi-makefile ngeenkcukacha.
Emva kokuqhuba iskripthi, xa siqulunqa iprojekthi, kuya kufuneka sicacise ulawulo lwendawo olulungiswe siskripthi njengeGOROOT. Kwimeko yethu ibonakala ngolu hlobo:
GOROOT="/opt/tls-tris/_dev/GOROOT/linux_amd64" go build ….Okulandelayo, kufuneka siphumeze kwitonela ukusebenza kokucela kunye nokwahlulahlula izitshixo ze-eSNI zoluntu kwisizinda esifunwayo. Kwimeko yethu, ezi ziya kuba zizitshixo ze-eSNI zikawonkewonke ezivela kwiiseva zangaphambili ze-CloudFlare. Ukwenza oku, siya kudala imisebenzi emithathu:
func makeDoTQuery(dnsName string) ([]byte, error)
func parseTXTResponse(buf []byte, wantName string) (string, error)
func QueryESNIKeysForHost(hostname string) ([]byte, error)Amagama emisebenzi, ngokomgaqo, athetha ngokwawo. Siza kuthatha umxholo kwifayile esni_query.go, eyinxalenye ye-tls-tris. Umsebenzi wokuqala udala ipakethe yenethiwekhi ngesicelo kwiseva ye-CloudFlare DNS usebenzisa i-protocol ye-DoH (DNS-over-HTTPS), eyesibini yahlula iziphumo zemibuzo kwaye ifumana amaxabiso ezitshixo zikawonke-wonke ze-domain, kwaye eyesithathu i isikhongozeli sesibini sokuqala.
Okulandelayo, songeza uqhagamshelo lwesokhethi yewebhu kumsebenzi wethu osanda kwakhiwa connectForWsSocks umsebenzi wokucela izitshixo ze-eSNI zendawo. Apho icandelo lomncedisi lisebenza khona, siseta iiparamitha ze-TLS, kwaye siseta negama lomgunyathi "lommandla ofihlakeleyo":
Kufuneka kuqatshelwe apha ukuba ekuqaleni, i-tls-tris yesebe yayingenzelwanga ukusetyenziswa kwendawo yokusebenzela ephambili. Ke ngoko, ayinikeli ngqalelo kwigama lomncedisi womgunyathi (indawo engenanto ye-serverName ithunyelwa njengenxalenye yepakethe ye-client-hello). Ukulungisa oku, kuya kufuneka songeze indawo ehambelanayo yeFakeServerName kwisakhiwo seTlsConfig. Asinakusebenzisa indawo esemgangathweni ye-ServerName yesakhiwo, kuba isetyenziswa ziindlela zangaphakathi ze-tls kwaye ukuba ziyohluka kweyoqobo, ukuxhawulana kwe-tls kuyakuphela ngempazamo. Inkcazelo yesakhiwo se TlsConfig iqulethwe kwifayile tls/common.go -kufuneka siyilungise:
Ukongeza, kuya kufuneka senze utshintsho kwifayile tls/handshake_client.goukusebenzisa indawo yethu yeFakeServerName xa usenza ukuxhawula ngesandla kwe-TLS:
Kuko konke! Ungaqokelela iprojekthi kwaye ujonge umsebenzi. Kodwa ngaphambi kokuba uqhube iskena, kufuneka usete iakhawunti ye-CloudFlare. Ewe, ndingatsho njani ukuba iyisete - yenza nje iakhawunti kwi-cloudflare kwaye udibanise isizinda sakho kuyo. Zonke iimpawu ezinxulumene ne-DoH, iWebSocket kunye ne-ESNI zibandakanyiwe kwi-CloudFlare ngokuzenzekelayo. Emva kokuba iirekhodi ze-DNS zihlaziyiwe, unokujonga ukusebenza kwesizinda ngokubuza izitshixo ze-eSNI:
dig +short txt _esni.df13tester.info 
Ukuba ubona into efanayo kwisizinda sakho, oko kuthetha ukuba yonke into ikusebenzela kwaye ungaqhubeka novavanyo.
Qalisa Ubuntu Umzekelo, i-VPS kwiDigitalOcean. PS: Kwimeko yethu, idilesi ye-IP ye-VPS esisandula ukuyifumana kumboneleli wethu iphele ikuluhlu olumnyama lukaRoskomnadzor. Ngoko ke ungamangaliswa ukuba kwenzeka into efanayo nakuwe. Kwakufuneka ndisebenzise iVPN ukuze ndifikelele kwi-VPS yam.
Sikopa i-rsockstun esele iqokelelwe kwiVPS (oku, ngendlela, bobunye ubuhle beGolang - ungaqokelela iprojekthi ngokwakho kwaye uyiqhube kuyo nayiphi na iLinux, ujonge kuphela isuntswana lenkqubo) kwaye uqalise icandelo leseva:
Kwaye ke inxalenye yomthengi:
Njengoko sibona, umxhasi uqhagamshelwe ngempumelelo kumncedisi nge-CloudFlare frontend server usebenzisa i-websocket. Ukujonga ukuba itonela isebenza kanye njengetonela, unokwenza isicelo se-curl ngeekawusi zasekhaya5, vula kumncedisi:
Ngoku makhe sibone ukuba iDPI ibona ntoni kumjelo wonxibelelwano:
Okokuqala, i-tunnel, isebenzisa indlela ye-DoH, iqhagamshelana ne-Cloudflare DNS iseva yezitshixo ze-eSNI zendawo ekuyiwa kuyo (iipakethi zeNombolo ye-1-19), kwaye emva koko uqhagamshelane nomncedisi wangaphambili kwaye useke uxhulumaniso lwe-TLS, lufihla emva kwendawo. (Eli lixabiso elimiselweyo xa kungekho thambeka lobuxoki lichaziweyo xa umxhasi eqala). Ukuchaza indawo yakho yobuxoki, kufuneka usebenzise i -fronfDomain iparamitha:
Ngoku enye into. Ngokungagqibekanga, useto lweakhawunti yeCloudFalre lusetelwe kwiFlexible SSL. Oku kuthetha ukuba izicelo ze-https kwi-Cloudflare frontend servers ezivela kubaxumi ziya kuthunyelwa ngokungafihlwanga (http) kumncedisi wethu. Yingakho siqalise i-server inxalenye yetonela kwimodi engeyiyo ye-ssl ( -mamela ws: 0.0.0.0), kwaye kungekhona ( -mamela wss: 0.0.0.0).
Ukuze utshintshele kwimodi yoguqulelo olupheleleyo, kufuneka ukhethe Pheleleyookanye Igcwele (ngqongqo) ukuba kukho isatifikethi sokwenyani kumncedisi. Emva kokutshintsha imo, siya kukwazi ukwamkela uqhagamshelo oluvela kwi-CloudFlare usebenzisa i-https protocol. Ungalibali ukwenza isatifikethi esizisayinileyo secala lomncedisi wetonela.
Umfundi onomdla wokwazi uza kubuza athi: “Kuthekani ngomthengi ophantsi Windows"Emva kwayo yonke loo nto, eyona ndlela iphambili yokusebenzisa i-tunneler kukumisela unxibelelwano oluvela kwiimashini zeenkampani kunye neeseva, kwaye ezo zihlala ziyiWindows. Ndingayihlanganisa njani i-tunneler yeWindows, ingakumbi nge-TLS stack ethile?" Ngoku siza kwazisa olunye uphawu olubonisa indlela iGolang eluncedo ngayo. Sihlanganisa iWindows ngqo kwiKali ngokongeza nje iparameter yeGOOS=windows:
GOARCH=amd64 GOROOT="/opt/tls-tris/_dev/GOROOT/linux_amd64" GOOS=windows go build -ldflags="-s -w"Okanye i-32-bit version:
GOARCH=386 GOROOT="/opt/tls-tris/_dev/GOROOT/linux_amd64" GOOS=windows go build -ldflags="-s -w"Konke! Kwaye akusayi kubakho nkathazo. Iyasebenza ngokwenene!
Iiflegi ze--w kunye ne-s compiler ziyafuneka ukususa inkunkuma engafunekiyo kwifayile ephunyezwayo, iyenze isibini seemegabytes ezincinci. Ukongeza, inokupakishwa kusetyenziswa i-UPX ukunciphisa ngakumbi ubungakanani.
Endaweni yesiphelo
Kwinqaku, sisebenzisa umzekelo wetonela ebhalwe eGolang, sibonise ngokucacileyo ukusetyenziswa kwetheknoloji entsha ye-domain-fronting, ephunyezwe kwinto enomdla kakhulu ye-TLS 1.3 protocol. Ngendlela efanayo, unokulungelelanisa izixhobo ezikhoyo ezibhalwe kwiGolang ukuze usebenze ngeeseva ze-CloudFlare, umzekelo -C2 edumileyo, okanye inyanzelise iCobaltStrike Beacon ukuba isebenzise i-eSNI domain-fronting xa usebenza neTeamserver nge. , iphunyezwe kwi-Golang, okanye kwi-C ++ eqhelekileyo isebenzisa inguqulelo ekhutshiweyo ye-OpenSSL, esithethe ngayo kwinxalenye yokugqibela yenqaku. Ngokubanzi, akukho mida kwintelekelelo.
Umzekelo kunye ne-tunnel kunye ne-CloudFlare inikezelwa ngendlela yombono kwaye kusenzima ukuthetha malunga nethuba elide lolu hlobo lwe-domain fronting. Okwangoku, kuphela i-CloudFlare exhasa i-eSNI kwaye, ngokwethiyori, akukho nto ibathintelayo ekukhubazeni olu hlobo lokujonga phambili kwaye, umzekelo, ukwaphula imidibaniso ye-tls ukuba i-SNI kunye ne-eSNI azihambelani. Ngokubanzi, ikamva liya kuxela. Kodwa okwangoku, ithemba lokusebenza phantsi "kwekhava yekremlin.ru" libukeka lilinga kakhulu. Akunjalo?
Ikhowudi yetonela ehlaziyiweyo, kunye neefayile eziphunyeziweyo eziqokelelweyo, zibekwe kwisebe elahlukileyo leprojekthi. . Kungcono ukubhala umba malunga nazo zonke iingxaki ezinokuthi zenzeke kwi-tunnel kwiphepha leprojekthi kwi-GitHub.
umthombo: www.habr.com
