diff --git a/README.md b/README.md index 83d96e3..5d74ad4 100644 --- a/README.md +++ b/README.md @@ -147,11 +147,12 @@ Available flags: - `--fake-sni-seq-len=` This flag specifies **youtubeUnblock** to build a complicated construction of fake client hello packets. length determines how much fakes will be sent. Defaults to **1**. -- `--faking-strategy={randseq|ttl|tcp_check|pastseq}` This flag determines the strategy of fake packets invalidation. Defaults to `randseq` +- `--faking-strategy={randseq|ttl|tcp_check|pastseq|md5sum}` This flag determines the strategy of fake packets invalidation. Defaults to `randseq` - `randseq` specifies that random sequence/acknowledgemend random will be set. This option may be handled by provider which uses *conntrack* with drop on invalid *conntrack* state firewall rule enabled. - `ttl` specifies that packet will be invalidated after `--faking-ttl=n` hops. `ttl` is better but may cause issues if unconfigured. - `pastseq` is like `randseq` but sequence number is not random but references the packet sent in the past (before current). - `tcp_check` will invalidate faking packet with invalid checksum. May be handled and dropped by some providers/TSPUs. + - `md5sum` will invalidate faking packet with invalid TCP md5sum. md5sum is a TCP option which is handled by the destination server but may be skipped by TSPU. - `--faking-ttl=` Tunes the time to live (TTL) of fake SNI messages. TTL is specified like that the packet will go through the DPI system and captured by it, but will not reach the destination server. Defaults to **8**. @@ -200,6 +201,8 @@ If you are on Chromium you may have to disable *kyber* (the feature that makes t If your browser is using QUIC it may not work properly. Disable it in Chrome in `chrome://flags` and in Firefox `network.http.http{2,3}.enable(d)` in `about:config` option. +It seems like some TSPUs started to block wrongseq packets, so you should play around with faking strategies. I personally recommend to start with `md5sum` faking strategy. + ### TV Televisions are the biggest headache. diff --git a/args.c b/args.c index 2b44a8a..42df82a 100644 --- a/args.c +++ b/args.c @@ -152,7 +152,7 @@ void print_usage(const char *argv0) { printf("\t--fake-sni-seq-len=\n"); printf("\t--fake-seq-offset=\n"); printf("\t--faking-ttl=\n"); - printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq}\n"); + printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq|md5sum}\n"); printf("\t--synfake={1|0}\n"); printf("\t--synfake-len=\n"); printf("\t--frag={tcp,ip,none}\n"); @@ -282,6 +282,8 @@ int parse_args(int argc, char *argv[]) { config.faking_strategy = FAKE_STRAT_TCP_CHECK; } else if (strcmp(optarg, "pastseq") == 0) { config.faking_strategy = FAKE_STRAT_PAST_SEQ; + } else if (strcmp(optarg, "md5sum") == 0) { + config.faking_strategy = FAKE_STRAT_TCP_MD5SUM; } else { goto invalid_opt; } @@ -450,6 +452,9 @@ void print_welcome() { case FAKE_STRAT_PAST_SEQ: printf("Past seq faking strategy will be used\n"); break; + case FAKE_STRAT_TCP_MD5SUM: + printf("md5sum faking strategy will be used\n"); + break; } if (config.fk_winsize) { diff --git a/config.h b/config.h index b1f5ab9..b69b3a7 100644 --- a/config.h +++ b/config.h @@ -91,6 +91,7 @@ extern struct config_t config; #define FAKE_STRAT_TTL 2 #define FAKE_STRAT_PAST_SEQ 3 #define FAKE_STRAT_TCP_CHECK 4 +#define FAKE_STRAT_TCP_MD5SUM 5 #ifndef FAKING_STRATEGY diff --git a/mangle.c b/mangle.c index e42221e..df0ee5a 100644 --- a/mangle.c +++ b/mangle.c @@ -424,6 +424,7 @@ int send_tcp_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *poses uint8_t fake_pad[MAX_PACKET_SIZE]; uint32_t f1len = MAX_PACKET_SIZE; uint32_t f2len = MAX_PACKET_SIZE; + uint32_t fake_pad_len = MAX_PACKET_SIZE; int ret; @@ -459,9 +460,9 @@ send_frag1: } send_fake: - // TODO if (config.frag_sni_faked) { uint32_t iphfl, tcphfl; + fake_pad_len = f2len; ret = tcp_payload_split(frag2, f2len, NULL, &iphfl, NULL, &tcphfl, NULL, NULL); if (ret < 0) { lgerror("Invalid frag2", ret); @@ -475,12 +476,12 @@ send_fake: fakethdr->seq = htonl(ntohl(fakethdr->seq) - dvs); lgtrace_addp("%u, ", ntohl(fakethdr->seq)); } - ret = fail_packet(fake_pad, f2len); + ret = fail_packet(fake_pad, &fake_pad_len, MAX_PACKET_SIZE); if (ret < 0) { lgerror("Failed to fail packet", ret); return ret; } - ret = send_tcp_frags(fake_pad, f2len, NULL, 0, 0); + ret = send_tcp_frags(fake_pad, fake_pad_len, NULL, 0, 0); if (ret < 0) { return ret; } @@ -854,7 +855,7 @@ int gen_fake_sni(const void *ipxh, uint32_t iph_len, const char *data = config.fake_sni_pkt; size_t data_len = config.fake_sni_pkt_sz; - size_t dlen = iph_len + tcph_len + data_len; + uint32_t dlen = iph_len + tcph_len + data_len; if (*buflen < dlen) return -ENOMEM; @@ -872,14 +873,24 @@ int gen_fake_sni(const void *ipxh, uint32_t iph_len, niph->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(dlen - iph_len); } - fail_packet(buf, *buflen); - + fail_packet(buf, &dlen, *buflen); *buflen = dlen; return 0; } -int fail_packet(uint8_t *payload, uint32_t plen) { +#define TCP_MD5SIG_LEN 16 +#define TCP_MD5SIG_KIND 19 +struct tcp_md5sig_opt { + uint8_t kind; + uint8_t len; + uint8_t sig[TCP_MD5SIG_LEN]; +}; +#define TCP_MD5SIG_OPT_LEN (sizeof(struct tcp_md5sig_opt)) +// Real length of the option, with NOOP fillers +#define TCP_MD5SIG_OPT_RLEN 20 + +int fail_packet(uint8_t *payload, uint32_t *plen, uint32_t avail_buflen) { void *iph; uint32_t iph_len; struct tcphdr *tcph; @@ -888,14 +899,18 @@ int fail_packet(uint8_t *payload, uint32_t plen) { uint32_t dlen; int ret; - ret = tcp_payload_split(payload, plen, + ret = tcp_payload_split(payload, *plen, &iph, &iph_len, &tcph, &tcph_len, &data, &dlen); + uint32_t ipxv = netproto_version(payload, *plen); + if (ret < 0) { return ret; } + int sizedelta = 0; + if (config.faking_strategy == FAKE_STRAT_RAND_SEQ) { lgtrace("fake seq: %u -> ", ntohl(tcph->seq)); @@ -920,7 +935,6 @@ int fail_packet(uint8_t *payload, uint32_t plen) { } else if (config.faking_strategy == FAKE_STRAT_TTL) { lgtrace_addp("set fake ttl to %d", config.faking_ttl); - uint32_t ipxv = netproto_version(payload, plen); if (ipxv == IP4VERSION) { ((struct iphdr *)iph)->ttl = config.faking_ttl; } else if (ipxv == IP6VERSION) { @@ -929,6 +943,43 @@ int fail_packet(uint8_t *payload, uint32_t plen) { lgerror("fail_packet: IP version is unsupported", -EINVAL); return -EINVAL; } + } else if (config.faking_strategy == FAKE_STRAT_TCP_MD5SUM) { + int optp_len = tcph_len - sizeof(struct tcphdr); + int delta = TCP_MD5SIG_OPT_RLEN - optp_len; + lgtrace_addp("Incr delta %d: %d -> %d", delta, optp_len, optp_len + delta); + + if (delta > 0) { + if (avail_buflen - *plen < delta) { + return -1; + } + uint8_t *ndata = data + delta; + memcpy(ndata, data, dlen); + data = ndata; + tcph_len = tcph_len + delta; + tcph->doff = tcph_len >> 2; + if (ipxv == IP4VERSION) { + ((struct iphdr *)iph)->tot_len = htons(ntohs(((struct iphdr *)iph)->tot_len) + delta); + } else if (ipxv == IP6VERSION) { + ((struct ip6_hdr *)iph)->ip6_plen = htons(ntohs(((struct ip6_hdr *)iph)->ip6_plen) + delta); + } else { + lgerror("fail_packet: IP version is unsupported", -EINVAL); + return -EINVAL; + } + optp_len += delta; + *plen += delta; + } + + uint8_t *optplace = (uint8_t *)tcph + sizeof(struct tcphdr); + struct tcp_md5sig_opt *mdopt = (void *)optplace; + mdopt->kind = TCP_MD5SIG_KIND; + mdopt->len = TCP_MD5SIG_OPT_LEN; + + optplace += sizeof(struct tcp_md5sig_opt); + optp_len -= sizeof(struct tcp_md5sig_opt); + + while (optp_len-- > 0) { + *optplace++ = 0x01; + } } set_ip_checksum(iph, iph_len); diff --git a/mangle.h b/mangle.h index da0de99..25ff6a7 100644 --- a/mangle.h +++ b/mangle.h @@ -30,7 +30,7 @@ int gen_fake_sni(const void *iph, uint32_t iph_len, * Invalidates the raw packet. The function aims to invalid the packet * in such way as it will be accepted by DPI, but dropped by target server */ -int fail_packet(uint8_t *payload, uint32_t plen); +int fail_packet(uint8_t *payload, uint32_t *plen, uint32_t avail_buflen); #define PKT_ACCEPT 0 #define PKT_DROP 1