Add TLS ClientHello fake packet generator

This commit is contained in:
RknMustDie512 2024-09-25 21:56:10 +03:00 committed by ValdikSS
parent c0f43a293e
commit 810aef6aed
4 changed files with 143 additions and 0 deletions

View File

@ -67,6 +67,10 @@ Usage: goodbyedpi.exe [OPTION...]
--fake-from-hex <value> Load fake packets for Fake Request Mode from HEX values (like 1234abcDEF). --fake-from-hex <value> Load fake packets for Fake Request Mode from HEX values (like 1234abcDEF).
This option can be supplied multiple times, in this case each fake packet This option can be supplied multiple times, in this case each fake packet
would be sent on every request in the command line argument order. would be sent on every request in the command line argument order.
--fake-with-sni <value> Generate fake packets for Fake Request Mode with given SNI domain name.
The packets mimic Mozilla Firefox 130 TLS ClientHello packet
(with random generated fake SessionID, key shares and ECH grease).
Can be supplied multiple times for multiple fake packets.
--fake-gen <value> Generate random-filled fake packets for Fake Request Mode, value of them --fake-gen <value> Generate random-filled fake packets for Fake Request Mode, value of them
(up to 30). (up to 30).
--fake-resend <value> Send each fake packet value number of times. --fake-resend <value> Send each fake packet value number of times.

View File

@ -57,6 +57,91 @@ static const unsigned char fake_https_request[] = {
0x00, 0x00, 0x00, 0x00, 0x00 0x00, 0x00, 0x00, 0x00, 0x00
}; };
// Captured from Firefox 130.0.1
static const unsigned char fake_clienthello_part0[] = { // 116 bytes
// TLS 1.2 ClientHello header (DD for length placeholder)
0x16, 0x03, 0x01, 0xDD, 0xDD, 0x01, 0x00, 0xDD, 0xDD, 0x03, 0x03,
// Random bytes (AA for placeholder)
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
// Random Session ID
0x20,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
// Cipher Suites
0x00, 0x22, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02, 0xC0, 0x2B, 0xC0, 0x2F, 0xCC, 0xA9, 0xCC, 0xA8,
0xC0, 0x2C, 0xC0, 0x30, 0xC0, 0x0A, 0xC0, 0x09, 0xC0, 0x13, 0xC0, 0x14, 0x00, 0x9C, 0x00, 0x9D,
0x00, 0x2F, 0x00, 0x35,
// Compression Methods
0x01, 0x00,
// Extensions Length
0xDD, 0xDD,
};
// SNI: 00 00 L1 L1 L2 L2 00 L3 L3 (sni)
// L1 = L+5, L2 = L+3, L3 = L // 9 + L bytes
static const unsigned char fake_clienthello_part1[] = { // 523 bytes
// extended_master_secret
0x00, 0x17, 0x00, 0x00,
// renegotiation_info
0xFF, 0x01, 0x00, 0x01, 0x00,
// supported_groups
0x00, 0x0A, 0x00, 0x0E,
0x00, 0x0C, 0x00, 0x1D, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00, 0x01, 0x01,
// ex_point_formats
0x00, 0x0B, 0x00, 0x02, 0x01, 0x00,
// session_ticket
0x00, 0x23, 0x00, 0x00,
// ALPN
0x00, 0x10, 0x00, 0x0E,
0x00, 0x0C, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2F, 0x31, 0x2E, 0x31,
// status_request
0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00,
// delegated_credentials
0x00, 0x22, 0x00, 0x0A, 0x00, 0x08, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, 0x03,
// key_share
0x00, 0x33, 0x00, 0x6B, 0x00, 0x69, 0x00, 0x1D, 0x00, 0x20,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0x00, 0x17, 0x00, 0x41, 0x04,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
// supported_versions
0x00, 0x2B, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03,
// signature_algorithms
0x00, 0x0D, 0x00, 0x18, 0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x04, 0x08, 0x05,
0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01,
// psk_key_exchange_modes
0x00, 0x2D, 0x00, 0x02, 0x01, 0x01,
// record_size_limit
0x00, 0x1C, 0x00, 0x02, 0x40, 0x01,
// encrypted_client_hello
0xFE, 0x0D, 0x01, 0x19, 0x00, 0x00, 0x01, 0x00, 0x01, 0xAA, 0x00, 0x20,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0x00, 0xEF,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA
};
// JA4: t13d1715h2_5b57614c22b0_5c2c66f702b0
// JA4_r: t13d1715h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001c,0022,0023,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201
// JA3 Fullstring: 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-65037,29-23-24-25-256-257,0
// JA3: b5001237acdf006056b409cc433726b0
static int send_fake_data(const HANDLE w_filter, static int send_fake_data(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr, const PWINDIVERT_ADDRESS addr,
const char *pkt, const char *pkt,
@ -311,3 +396,46 @@ int fake_load_random(unsigned int count, unsigned int maxsize) {
} }
return 0; return 0;
} }
void set_uint16be(unsigned char *buffer, int offset, int value) {
buffer[offset] = (value >> 8) & 0xFF;
buffer[offset + 1] = value & 0xFF;
}
int fake_load_from_sni(const char *domain_name) {
if (!domain_name) {
return 1; // just extra safeguard against NPE
}
// calculate sizes
const int name_size = strlen(domain_name);
const int part0_size = sizeof(fake_clienthello_part0);
const int part1_size = sizeof(fake_clienthello_part1);
const int sni_head_size = 9;
const int packet_size = part0_size + part1_size + sni_head_size + name_size;
// allocate memory
unsigned char *packet = malloc(packet_size);
// copy major parts of packet
memcpy(packet, fake_clienthello_part0, part0_size);
memcpy(&packet[part0_size + sni_head_size + name_size], fake_clienthello_part1, part1_size);
// replace placeholders with random generated values
unsigned int random = 0;
for (int i = 0; i < packet_size; i++) {
if (packet[i] == 0xAA) {
rand_s(&random);
packet[i] = random & 0xFF;
}
}
// write size fields into packet
set_uint16be(packet, 0x0003, packet_size - 5);
set_uint16be(packet, 0x0007, packet_size - 9);
set_uint16be(packet, 0x0072, packet_size - 116);
// write SNI extension
set_uint16be(packet, part0_size + 0, 0x0000);
set_uint16be(packet, part0_size + 2, name_size + 5);
set_uint16be(packet, part0_size + 4, name_size + 3);
packet[part0_size + 6] = 0x00;
set_uint16be(packet, part0_size + 7, name_size);
memcpy(&packet[part0_size + sni_head_size], domain_name, name_size);
// add packet to fakes
return fake_add(packet, packet_size);
}

View File

@ -19,4 +19,5 @@ int send_fake_https_request(const HANDLE w_filter,
const BYTE set_seq const BYTE set_seq
); );
int fake_load_from_hex(const char *data); int fake_load_from_hex(const char *data);
int fake_load_from_sni(const char *domain_name);
int fake_load_random(unsigned int count, unsigned int maxsize); int fake_load_random(unsigned int count, unsigned int maxsize);

View File

@ -189,6 +189,7 @@ static struct option long_options[] = {
{"reverse-frag",no_argument, 0, '(' }, {"reverse-frag",no_argument, 0, '(' },
{"max-payload", optional_argument, 0, '|' }, {"max-payload", optional_argument, 0, '|' },
{"fake-from-hex", required_argument, 0, 'u' }, {"fake-from-hex", required_argument, 0, 'u' },
{"fake-with-sni", required_argument, 0, '}' },
{"fake-gen", required_argument, 0, 'j' }, {"fake-gen", required_argument, 0, 'j' },
{"fake-resend", required_argument, 0, 't' }, {"fake-resend", required_argument, 0, 't' },
{"debug-exit", optional_argument, 0, 'x' }, {"debug-exit", optional_argument, 0, 'x' },
@ -948,6 +949,11 @@ int main(int argc, char *argv[]) {
printf("WARNING: bad fake HEX value %s\n", optarg); printf("WARNING: bad fake HEX value %s\n", optarg);
} }
break; break;
case '}': // --fake-with-sni
if (fake_load_from_sni(optarg)) {
printf("WARNING: bad domain name for SNI: %s\n", optarg);
}
break;
case 'j': // --fake-gen case 'j': // --fake-gen
if (fake_load_random(atoub(optarg, "Fake generator parameter error!"), 200)) { if (fake_load_random(atoub(optarg, "Fake generator parameter error!"), 200)) {
puts("WARNING: fake generator has failed!"); puts("WARNING: fake generator has failed!");
@ -1013,6 +1019,10 @@ int main(int argc, char *argv[]) {
" --fake-from-hex <value> Load fake packets for Fake Request Mode from HEX values (like 1234abcDEF).\n" " --fake-from-hex <value> Load fake packets for Fake Request Mode from HEX values (like 1234abcDEF).\n"
" This option can be supplied multiple times, in this case each fake packet\n" " This option can be supplied multiple times, in this case each fake packet\n"
" would be sent on every request in the command line argument order.\n" " would be sent on every request in the command line argument order.\n"
" --fake-with-sni <value> Generate fake packets for Fake Request Mode with given SNI domain name.\n"
" The packets mimic Mozilla Firefox 130 TLS ClientHello packet\n"
" (with random generated fake SessionID, key shares and ECH grease).\n"
" Can be supplied multiple times for multiple fake packets.\n"
" --fake-gen <value> Generate random-filled fake packets for Fake Request Mode, value of them\n" " --fake-gen <value> Generate random-filled fake packets for Fake Request Mode, value of them\n"
" (up to 30).\n" " (up to 30).\n"
" --fake-resend <value> Send each fake packet value number of times.\n" " --fake-resend <value> Send each fake packet value number of times.\n"