-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit b8a9c7a
Showing
20 changed files
with
2,050 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # If you prefer the allow list template instead of the deny list, see community template: | ||
| # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore | ||
| # | ||
| # Binaries for programs and plugins | ||
| *.exe | ||
| *.exe~ | ||
| *.dll | ||
| *.so | ||
| *.dylib | ||
|
|
||
| # Test binary, built with `go test -c` | ||
| *.test | ||
|
|
||
| # Output of the go coverage tool, specifically when used with LiteIDE | ||
| *.out | ||
|
|
||
| # Dependency directories (remove the comment below to include it) | ||
| # vendor/ | ||
|
|
||
| # Go workspace file | ||
| go.work | ||
| go.work.sum | ||
|
|
||
| # env file | ||
| .env | ||
| config.json | ||
| dist/ | ||
| cmd/grss/client/grs* | ||
| cmd/grss/files.go | ||
| .vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| MIT License | ||
|
|
||
| Copyright (c) 2024 [fullname] | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| ## reality | ||
|
|
||
| <https://github.com/XTLS/REALITY> | ||
|
|
||
| reality是安全传输层的实现,其和TLS类似都实现了安全传输,除此之外还进行TLS指纹伪装 | ||
|
|
||
| 简单来说就是: | ||
|
|
||
| 1. 确定一个伪装服务器目标,比如https://example.com | ||
| 1. 当普通客户端来访问reality服务端时,将其代理到example.com | ||
| 1. 当特殊客户端来访问reality服务端时,进行特定处理流程 | ||
|
|
||
| ### reality原理 | ||
|
|
||
| 具体来说就是在客户端与伪装服务器进行TLS握手的同时,也进行了私有握手 | ||
|
|
||
| 首先reality服务端和特殊客户端预先共享一对公私密钥(x25519) | ||
|
|
||
| 私有握手关键步骤如下: | ||
|
|
||
| 1. 特殊客户端在Client Hello中 | ||
| 1. 生成临时公私密钥对(x25519) | ||
| 1. Client Hello中将Extension的key_share修改为临时公钥 | ||
| 1. 通过临时私钥与预先共享的公钥,以及hkdf算法生成authkey | ||
| 1. 通过authkey对版本号、时间戳等信息加密,并替换Client Hello中的Session ID字段 | ||
| 1. reality服务端收到Client Hello后 | ||
| 1. 通过预先共享的私钥和Client Hello中的临时公钥,以及hkdf算法生成authkey | ||
| 1. 通过authkey解密Session ID字段,并验证时间戳、版本号信息 | ||
| 1. 验证成功则生成一个临时可信证书(ed25519) | ||
| 1. 验证失败则代理到伪装服务器 | ||
| 1. 特殊客户端在收到reality服务端证书后 | ||
| 1. 通过hmac算法和authkey计算证书签名,与收到的证书签名对比 | ||
| 1. 若签名一致,进行特定处理流程 | ||
| 1. 若签名不一致 | ||
| 1. 但签名是example.com的真证书,则进入爬虫模式 | ||
| 1. 否则发送TLS alert | ||
|
|
||
| <https://github.com/XTLS/Xray-core/issues/1697#issuecomment-1441215569> | ||
|
|
||
| ### reality的特点和限制 | ||
|
|
||
| 特点: | ||
|
|
||
| 1. 完美模拟了伪装服务器的TLS指纹 | ||
| 1. 特殊客户端巧妙的利用TLS1.3的key_share和Session ID字段进行私有握手 | ||
| 1. 这两字段原本都是随机的,即使替换也没有特征 | ||
| 1. 不需要域名,也不需要证书 | ||
|
|
||
| 限制: | ||
|
|
||
| 只能使用TLS1.3,且必须使用x25519 | ||
|
|
||
| 1. key_share是TLS1.3新增内容<https://www.rfc-editor.org/rfc/rfc8446#section-4.2.8> | ||
| 1. reality服务端返回的临时证书本质上是有特征的,但TLS1.3中Certificate包是加密的,也就规避了这一问题 | ||
| 1. 如果伪装服务器目标不使用x25519,则私有握手无法成功 | ||
|
|
||
|
|
||
| ## 与原版的reality的区别 | ||
|
|
||
| 1. 使用两组预共享公私钥,分别用于密钥交换/验签,验签使用额外一次通信进行 | ||
| 2. 模仿站必须是tls1.2,且最好使用aead的套件 | ||
| 1. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ||
| 1. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
| 1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||
| 1. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||
| 1. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
| 1. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||
| 1. TLS_RSA_WITH_AES_128_GCM_SHA256 | ||
| 1. TLS_RSA_WITH_AES_256_GCM_SHA384 | ||
| 3. 服务端代码实现更简单,不需要修改tls库,用读写过滤的方式来判断是否已经握手完成 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| # grs | ||
|
|
||
| 1. grss(Golang Reverse SOCKS5 Server) 服务端,需要有公网IP的机器上 | ||
| 1. grsc(Golang Reverse SOCKS5 Client) 客户端,需要运行于想要穿透的内网中机器上 | ||
| 1. grsu(Golang Reverse SOCKS5 User) 用户端,需要运行于用户机器上,提供socks5服务 | ||
|
|
||
|
|
||
| grs是一个反向socks5代理,其中grss和grsc和grsu是通过REALITY协议通信 | ||
|
|
||
| 关于REALITY协议: [README-REALITY.md](./README-REALITY.md) | ||
|
|
||
| 相对于frp,nps等内网穿透工具有以下特点 | ||
|
|
||
| 1. 完美消除网络特征 | ||
| 1. 防止服务端被主动探测 | ||
| 1. 客户端和用户端内嵌配置,不需要命令行或额外配置文件 | ||
|
|
||
| ## 使用步骤 | ||
|
|
||
| ### 生成配置、客户端、用户端 | ||
|
|
||
| `grss gen www.qq.com:443 127.0.0.1:443` | ||
|
|
||
| 1. `www.qq.com:443` 是被模拟的目标 | ||
| 1. `127.0.0.1:443` 是服务器监听地址,这里要填写公网IP,端口最好和模拟目标一致 | ||
|
|
||
| 若SNIAddr或ServerAddr不指定,则尝试加载已有配置文件 | ||
|
|
||
| ```txt | ||
| Usage: | ||
| grss [OPTIONS] gen [gen-OPTIONS] [SNIAddr] [ServerAddr] | ||
| generate server config and client | ||
| Help Options: | ||
| -h, --help Show this help message | ||
| [gen command options] | ||
| -d debug | ||
| -f=[chrome|firefox|safari|ios|android|edge|360|qq] client finger print (default: chrome) | ||
| -e= expire second (default: 30) | ||
| -o= server config output path (default: config.json) | ||
| --dir= client output directory (default: .) | ||
| [gen command arguments] | ||
| SNIAddr: tls server address, e.g. example.com:443 | ||
| ServerAddr: server address, e.g. 8.8.8.8:443 | ||
| ``` | ||
|
|
||
| ### 启动服务端 | ||
|
|
||
| `grss serv` | ||
|
|
||
| ```txt | ||
| Usage: | ||
| grss [OPTIONS] serv [serv-OPTIONS] | ||
| run server | ||
| Help Options: | ||
| -h, --help Show this help message | ||
| [serv command options] | ||
| -o= server config path (default: config.json) | ||
| ``` | ||
|
|
||
| ### 启动客户端 | ||
|
|
||
| `grsc` | ||
|
|
||
| ### 启动用户端 | ||
|
|
||
| `grsu` | ||
|
|
||
| ```txt | ||
| Usage of grsu: | ||
| -l string | ||
| socks5 listen address (default "127.0.0.1:61080") | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| #!/bin/bash | ||
|
|
||
| mkdir -p dist | ||
| CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o ./cmd/grss/client/grsc_darwin ./cmd/grsc | ||
| CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o ./cmd/grss/client/grsc_linux ./cmd/grsc | ||
| CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w" -o ./cmd/grss/client/grsc_windows.exe ./cmd/grsc | ||
|
|
||
| CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o ./cmd/grss/client/grsu_darwin ./cmd/grsu | ||
| CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o ./cmd/grss/client/grsu_linux ./cmd/grsu | ||
| CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w" -o ./cmd/grss/client/grsu_windows.exe ./cmd/grsu | ||
|
|
||
| go-bindata -nomemcopy -nometadata -prefix cmd/grss/client -o ./cmd/grss/files.go ./cmd/grss/client/ | ||
|
|
||
| CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -tags forceposix -trimpath -ldflags "-s -w" -o ./dist/grss_darwin ./cmd/grss | ||
| CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -tags forceposix -trimpath -ldflags "-s -w" -o ./dist/grss_linux ./cmd/grss | ||
| CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -tags forceposix -trimpath -ldflags "-s -w" -o ./dist/grss_windows.exe ./cmd/grss | ||
|
|
||
| cp README.md ./dist | ||
| cp README-REALITY.md ./dist |
Oops, something went wrong.