How the Shiliew GUI works

https://www.txthinking.com/talks/
Created at: 15 Nov 2021
Updated at: 12 Dec 2022
cloud@txthinking.com

Table of Contents

• Shiliew
• macOS graphical client proxy mode, Windows graphical client proxy mode
  • rule
  • Data flow
• macOS graphical client tun mode, Windows graphical client tun mode, iOS graphical client, Android graphical client
  • rule
  • Data flow
    • Configure system DNS
    • When Fake DNS is disabled
    • Fake DNS when enabled
• Why and how to turn off system and browser secure DNS
  • Will closing it reduce security?
• MITM
  • ROOT CA
  • Require
    • macOS
    • Windows
    • iOS
    • Android
  • Rule
  • script
  • request
  • response
  • process
  • MITM with Body
  • Example
  • Debug
• Log
• Apple push issues
• Enjoy

Shiliew

https://www.txthinking.com/shiliew.html

macOS graphical client proxy mode, Windows graphical client proxy mode

You can see the proxy mode in Proxy & Tun in the left menu of the graphical client. In this mode, it will ignore: Bypass IP, DNS, Fake DNS, Block list, Block configuration items.

In this mode, will create:

• socks5 proxy: socks5://[::1]:1080 may be created under IPv6 network, socks5://127.0.0.1:1080 may be created under IPv4 network
  • If you need to use this socks5 proxy directly, you can use curl to determine which proxy is created: curl -x socks5://[::1]:1080 http3.ooo or curl -x socks5://127.0. 0.1:1080 http3.ooo
• http proxy: http://[::1]:8010 may be created under IPv6 network, http://127.0.0.1:8010 may be created under IPv4 network
  • If you need to use this http proxy directly, you can use curl to determine which proxy was created: curl -x http://[::1]:1080 http3.ooo or curl -x http://127.0. 0.1:1080 http3.ooo
• A pac server will be created based on the Bypass Domain list, and the system proxy will be configured to use this pac
  • But it should be noted that some software may not use the proxy configured by the system

rule

• Bypass Domain list is a txt file, one domain name per line
• Suffix matching pattern: For example, if there is a.com in the list, then a.com, x.a.com, x.x.a.com will all be matched; for example, if there is cn in the list, then x.cn, x.x.cn will all be matched

Data flow

• If using a system proxy, such as Chrome:

  • The domain name does not match the Bypass Domain list (domain name resolution will be completed on the server)

        Initiate a request --HTTP/HTTPS(TCP)--> pac server --> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --HTTP/HTTPS(TCP)--> destination
    

  • The domain name matches the Bypass Domain list (domain name resolution will be done locally)

        Initiate a request --HTTP/HTTPS(TCP)--> pac server --> local --HTTP/HTTPS(TCP)--> destination
    

• If you don't use the system proxy, for example, configure the socks5 proxy created above separately on the Telegram client:

      Initiate request --TCP/UDP--> socks5 proxy --TCP/UDP--> Shiliew client --(Brook protocol) --> brook server/wsserver/wssserver --TCP/UDP--> destination
  

macOS graphical client tun mode, Windows graphical client tun mode, iOS graphical client, Android graphical client

rule

can be specified

• Fake DNS switch
• Bypass switch
  • If disabled, bypass domain name list, bypass CIDR4 list, bypass CIDR6 list will be ignored
• a list of bypass domains
  • The list is a txt file, one domain name per line
  • Suffix matching pattern: For example, if there is a.com in the list, then a.com, x.a.com, x.x.a.com will all be matched; for example, if there is cn in the list, then x.cn, x.x.cn will all be matched
  • If the CNAME is to another domain name, it also needs to be added to the list
• a bypass CIDR4 list
  • The list is a txt file, one CIDR per line, each CIDR is actually an IPv4 IP segment
  • Matching mode: it will traverse all CIDR4, if it contains the IP to be requested, it will be matched. Otherwise, it will not be matched
• a bypass CIDR6 list
  • the list is just a txt file, one CIDR per line, each CIDR is actually an IPv6 IP segment
  • Matching mode: it will traverse all CIDR4, if it contains the IP to be requested, it will be matched. Otherwise, it will not be matched
• Block switch
• a list of block domains
  • The list is a txt file, one domain name per line
  • Suffix matching pattern: For example, if there is a.com in the list, then a.com, x.a.com, x.x.a.com will all be matched; for example, if there is cn in the list, then x.cn, x.x.cn will all be matched
• A system v4 DNS, such as 8.8.8.8
  • Note: do not bypass this DNS
• a system v6 DNS, such as 2001:4860:4860::8888
  • Note: do not bypass this DNS
• a bypass v4 DNS
  • Support normal DNS, such as 223.5.5.5:53
  • DoH is supported, but the address of DoH needs to be specified through the parameter address, such as https://dns.alidns.com/dns-query?address=223.5.5.5%3A443
  • Automatic Bypass
• a bypass v6 DNS
  • Support normal DNS, such as [2400:3200::1]:53
  • DoH is supported, but the address of DoH needs to be specified through the parameter address, such as https://dns.alidns.com/dns-query?address=%5B2400%3A3200%3A%3A1%5D%3A443
  • Automatic Bypass

Data flow

Configure system DNS

Shiliew client will automatically choose to configure system v4 DNS or v6 DNS according to the current network IPv4/IPv6 situation and server IPv4/IPv6.

When Fake DNS is disabled

We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.

1. An application is ready to initiate a network request

2. The first is the IP of the DNS query domain name

   • Make a query to the system DNS

     • If the system DNS does not match bypass (the system DNS is also an IP)

           Initiate DNS query --(DNS protocol)--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --(DNS protocol)--> System DNS
       

     • If the system DNS matches bypass (the system DNS is also an IP)

           Initiate DNS query --(DNS protocol)--> Shiliew client --(DNS protocol)--> System DNS
       

3. The IP of the domain name has been queried, ready to initiate a network request to this target IP

   • if IP does not match bypass

         Initiate a request --TCP/UDP--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --TCP/UDP--> target IP
     

   • if IP matches bypass

         Initiate request --TCP/UDP--> Shiliew client --TCP/UDP--> target IP
     

Fake DNS when enabled

We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.

1. An application is ready to initiate a network request

2. The first is the IP of the DNS query domain name

   • If the Block switch is on, if the domain name matches the block domain name list, it will directly block the resolution during DNS resolution.
   • The domain name does not match the bypass domain name list
     • Return Fake IP by Fake DNS

   • The domain name matches the bypass domain name list

     • Initiate a query to bypass DNS

       • If bypass DNS does not match bypass (bypass DNS is also an IP)

             Initiate DNS query --(DNS protocol)--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --(DNS protocol)--> bypass DNS
         

       • If bypass DNS matches bypass (bypass DNS is also an IP)

             Initiate DNS query --(DNS protocol)--> Shiliew client --(DNS protocol)--> bypass DNS
         

3. The IP of the domain name has been queried, ready to initiate a network request to this target IP

   • If it is Fake IP (real domain name resolution will be done on the server)

         Shiliew client --(Convert Fake IP to original domain name)--(Brook protocol)--> brook server/wsserver/wssserver --TCP/UDP--> destination
     

   • if not Fake IP

     • if the IP does not match the bypass CIDR list

           Initiate a request --TCP/UDP--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --TCP/UDP--> target IP
       

     • if the IP matches the bypass CIDR list

           Initiate request --TCP/UDP--> Shiliew client --TCP/UDP--> target IP
       

Why and how to turn off system and browser secure DNS

Currently, the Android system has built-in Private DNS(DoT), and the desktop and mobile versions of Chrome provide built-in Secure DNS(DoH). This is ideal for full AnThe DNS query of ordinary users in the ycast network world and not using a proxy can achieve encryption in the intermediate network. But the reality is not ideal.

Suppose a domain name provides different IPs for multiple regions, and the final resolved IP depends on:

1. DNS Server used
2. The network that initiates the DNS query

When DoT or DoH is turned on, the query content cannot be intercepted to achieve the effect of using different DNS resolutions for different domain names, and FakeDNS cannot be used to resolve domain names on the server side to avoid one more network request.

So we're going to close it:

• Android: Settings -> Network & internet -> Private DNS -> Off
• Chrome on Mobile: Settings -> Privacy and security -> Use secure DNS -> Off
• Chrome on Desktop: Settings -> Privacy and security -> Security -> Use secure DNS -> Off
• Windows: Windows Settings -> Network & Internet -> Your Network -> DNS settings -> Edit -> Preferred DNS -> Unencrypted only -> 8.8.8.8

Will closing it reduce security?

No. You can enable FakeDNS or configure DoH in Shiliew GUI.

MITM

Note: This feature requires programming skills and will run your script to intercept and modify HTTP and HTTPS. At the same time, if it is complicated to write, it may take up more resources and performance.

ROOT CA

https://txthinking.github.io/ca/ca.pem

Require

• The ROOT CA above must be installed
• FakeDNS must be enabled

macOS

MITM requires tun mode

nami install mad ca.txthinking
sudo mad install --ca ~/.nami/bin/ca.pem

Windows

MITM requires tun mode

nami install mad ca.txthinking

Open GitBash as administrator

mad install --ca ~/.nami/bin/ca.pem

iOS

https://www.youtube.com/watch?v=HSGPC2vpDGk

Android

Android subsystem CA and user CA must be installed into the system CA after rooting

Rule

One protocol and address per line

• Protocol support http:// and https://
• Strict address matching mode, the address is the Host and the port, do not include the path

Example

http://http3.ooo:80
https://http3.ooo:443
https://4.http3.ooo:443
https://6.http3.ooo:443

https://txthinking.github.io/bypass/mitm.txt

script

• Use tengo
• Support Builtin Functions
• Support for Standard Library

request

request represents an HTTP Request, which is a map

{
	"Method": "GET", // string, request method
	"URL": "https://http3.ooo/", // string, request url
	"Body": bytes, // bytes, request body
	"...": "...",
	"User-Agent": "...", // string, all other keys are request header
	"...": "..."
}

response

response represents an HTTP Response, which is a map

{
	"StatusCode": 200, // int, response status code
	"Body": bytes, // bytes, request body
	"...": "...",
	"Server": "txthinking", // string, all other keys are response header
	"...": "..."
}

process

1. Shiliew first matches the rule address, and then prepares data according to the protocol corresponding to the address in the rule
2. Shiliew passes request to the script, response is now undefined. The script can choose:
   • modify or not modify request and return request
   • if a new response is returned. The process ends
3. Shiliew sends the request returned by the script to the server
4. Shiliew gets the response from the destination
5. Shiliew passes response to the script, request is now the request of the first return, the script must: modify or not modify response and return response

MITM with Body

If not turned on

• The request["Body"] passed to the script in step 2 is empty.
  • At the same time, the request["Body"] returned by the script will be ignored. The body of the original request is still used to send to the server
  • or response["Body"] will also be ignored. Only respond to client with StatusCode and headers
• response["Body"] and request["Body"] passed to the script in step 5 are empty. At the same time, the response["Body"] returned by the script will also be ignored. The body of the original response is still used to respond to the client

If enabled. Will consume more memory

• request["Body"] passed to the script in step 2 is not empty
  • At the same time, the request["Body"] returned by the script is sent to the server as the body of the request
  • or response["Body"] is sent to the client as the body of the response
• response["Body"] and request["Body"] passed to the script in step 5 are not empty. At the same time, the response["Body"] returned by the script will be sent to the client as the body of the response

Example

text := import("text")

_ := (func(request, response) {

    // Begin

    if(!response){
        if(text.has_prefix(request["URL"], "http://http3.ooo")){
            return {
                "StatusCode": 301,
                "Location": text.replace(request["URL"], "http://", "https://", 1)
            }
        }
        if(text.has_prefix(request["URL"], "https://http3.ooo")){
            request["User-Agent"] = "curl/7.79.1"
            return request
        }
        return request
    }
    if(text.has_prefix(request["URL"], "https://6.http3.ooo")){
        response["Body"] = bytes("You hacked me :)")
        return response
    }
    return response
    // End

})(request, response)

Debug

You can use App Privacy Report mitmproxy helper and Wireshark Helper capture packets to determine what to modify. The principle difference of mobile phone packet capture software

Use tun2brook to debug the script so you can print data inside the script

Log

macOS and Windows need to enable tun mode

It is recommended to enable it only when necessary. Prevent the log file from being too large.

Apple push issues

To receive pushes, Apple Server only allows Ethernet, cellular data, Wi-Fi connections. So you need to Bypass the relevant domain name and IP:

https://support.apple.com/en-us/HT210060

https://support.apple.com/en-us/HT210060

Domain

apple.com
icloud.com
cdn-apple.com
mzstatic.com
entrust.net
digicert.com
verisign.net
apple

CIDR4

17.0.0.0/8
103.81.148.0/22
103.81.148.0/24
103.81.149.0/24

CIDR6

2620:149:a44::/48
2403:300:a42::/48
2403:300:a51::/48
2a01:b740:a42::/48

Enjoy

• https://www.txthinking.com/shiliew.html