https://www.txthinking.com/talks/
Created at: 15 Nov 2021
Updated at: 12 Dec 2022
cloud@txthinking.com
https://www.txthinking.com/shiliew.html
You can see the proxy mode in Proxy & Tun in the left menu of the graphical client. In this mode, it will ignore: Bypass IP, DNS, Fake DNS, Block list, Block configuration items.
In this mode, will create:
socks5://[::1]:1080
may be created under IPv6 network, socks5://127.0.0.1:1080
may be created under IPv4 network
curl -x socks5://[::1]:1080 http3.ooo
or curl -x socks5://127.0. 0.1:1080 http3.ooo
http://[::1]:8010
may be created under IPv6 network, http://127.0.0.1:8010
may be created under IPv4 network
curl -x http://[::1]:1080 http3.ooo
or curl -x http://127.0. 0.1:1080 http3.ooo
If using a system proxy, such as Chrome:
The domain name does not match the Bypass Domain list (domain name resolution will be completed on the server)
Initiate a request --HTTP/HTTPS(TCP)--> pac server --> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --HTTP/HTTPS(TCP)--> destination
The domain name matches the Bypass Domain list (domain name resolution will be done locally)
Initiate a request --HTTP/HTTPS(TCP)--> pac server --> local --HTTP/HTTPS(TCP)--> destination
If you don't use the system proxy, for example, configure the socks5 proxy created above separately on the Telegram client:
Initiate request --TCP/UDP--> socks5 proxy --TCP/UDP--> Shiliew client --(Brook protocol) --> brook server/wsserver/wssserver --TCP/UDP--> destination
can be specified
8.8.8.8
2001:4860:4860::8888
223.5.5.5:53
https://dns.alidns.com/dns-query?address=223.5.5.5%3A443
[2400:3200::1]:53
https://dns.alidns.com/dns-query?address=%5B2400%3A3200%3A%3A1%5D%3A443
Shiliew client will automatically choose to configure system v4 DNS or v6 DNS according to the current network IPv4/IPv6 situation and server IPv4/IPv6.
We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.
The first is the IP of the DNS query domain name
Make a query to the system DNS
If the system DNS does not match bypass (the system DNS is also an IP)
Initiate DNS query --(DNS protocol)--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --(DNS protocol)--> System DNS
If the system DNS matches bypass (the system DNS is also an IP)
Initiate DNS query --(DNS protocol)--> Shiliew client --(DNS protocol)--> System DNS
The IP of the domain name has been queried, ready to initiate a network request to this target IP
if IP does not match bypass
Initiate a request --TCP/UDP--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --TCP/UDP--> target IP
if IP matches bypass
Initiate request --TCP/UDP--> Shiliew client --TCP/UDP--> target IP
We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.
The first is the IP of the DNS query domain name
The domain name matches the bypass domain name list
Initiate a query to bypass DNS
If bypass DNS does not match bypass (bypass DNS is also an IP)
Initiate DNS query --(DNS protocol)--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --(DNS protocol)--> bypass DNS
If bypass DNS matches bypass (bypass DNS is also an IP)
Initiate DNS query --(DNS protocol)--> Shiliew client --(DNS protocol)--> bypass DNS
The IP of the domain name has been queried, ready to initiate a network request to this target IP
If it is Fake IP (real domain name resolution will be done on the server)
Shiliew client --(Convert Fake IP to original domain name)--(Brook protocol)--> brook server/wsserver/wssserver --TCP/UDP--> destination
if not Fake IP
if the IP does not match the bypass CIDR list
Initiate a request --TCP/UDP--> Shiliew client --(Brook protocol)--> brook server/wsserver/wssserver --TCP/UDP--> target IP
if the IP matches the bypass CIDR list
Initiate request --TCP/UDP--> Shiliew client --TCP/UDP--> target IP
Currently, the Android system has built-in Private DNS(DoT), and the desktop and mobile versions of Chrome provide built-in Secure DNS(DoH). This is ideal for full AnThe DNS query of ordinary users in the ycast network world and not using a proxy can achieve encryption in the intermediate network. But the reality is not ideal.
Suppose a domain name provides different IPs for multiple regions, and the final resolved IP depends on:
When DoT or DoH is turned on, the query content cannot be intercepted to achieve the effect of using different DNS resolutions for different domain names, and FakeDNS cannot be used to resolve domain names on the server side to avoid one more network request.
So we're going to close it:
No. You can enable FakeDNS or configure DoH in Shiliew GUI.
Note: This feature requires programming skills and will run your script to intercept and modify HTTP and HTTPS. At the same time, if it is complicated to write, it may take up more resources and performance.
https://txthinking.github.io/ca/ca.pem
MITM requires tun mode
nami install mad ca.txthinking
sudo mad install --ca ~/.nami/bin/ca.pem
MITM requires tun mode
nami install mad ca.txthinking
Open GitBash as administrator
mad install --ca ~/.nami/bin/ca.pem
https://www.youtube.com/watch?v=HSGPC2vpDGk
Android subsystem CA and user CA must be installed into the system CA after rooting
One protocol and address per line
http://
and https://
Example
http://http3.ooo:80
https://http3.ooo:443
https://4.http3.ooo:443
https://6.http3.ooo:443
https://txthinking.github.io/bypass/mitm.txt
request
represents an HTTP Request, which is a map
{
"Method": "GET", // string, request method
"URL": "https://http3.ooo/", // string, request url
"Body": bytes, // bytes, request body
"...": "...",
"User-Agent": "...", // string, all other keys are request header
"...": "..."
}
response
represents an HTTP Response, which is a map
{
"StatusCode": 200, // int, response status code
"Body": bytes, // bytes, request body
"...": "...",
"Server": "txthinking", // string, all other keys are response header
"...": "..."
}
request
to the script, response
is now undefined
. The script can choose:
request
and return request
response
is returned. The process endsrequest
returned by the script to the serverresponse
from the destinationresponse
to the script, request
is now the request
of the first return, the script must: modify or not modify response
and return response
If not turned on
request["Body"]
passed to the script in step 2 is empty.
request["Body"]
returned by the script will be ignored. The body of the original request is still used to send to the serverresponse["Body"]
will also be ignored. Only respond to client with StatusCode
and headersresponse["Body"]
and request["Body"]
passed to the script in step 5 are empty. At the same time, the response["Body"]
returned by the script will also be ignored. The body of the original response is still used to respond to the clientIf enabled. Will consume more memory
request["Body"]
passed to the script in step 2 is not empty
request["Body"]
returned by the script is sent to the server as the body of the requestresponse["Body"]
is sent to the client as the body of the responseresponse["Body"]
and request["Body"]
passed to the script in step 5 are not empty. At the same time, the response["Body"]
returned by the script will be sent to the client as the body of the responsetext := import("text")
_ := (func(request, response) {
// Begin
if(!response){
if(text.has_prefix(request["URL"], "http://http3.ooo")){
return {
"StatusCode": 301,
"Location": text.replace(request["URL"], "http://", "https://", 1)
}
}
if(text.has_prefix(request["URL"], "https://http3.ooo")){
request["User-Agent"] = "curl/7.79.1"
return request
}
return request
}
if(text.has_prefix(request["URL"], "https://6.http3.ooo")){
response["Body"] = bytes("You hacked me :)")
return response
}
return response
// End
})(request, response)
You can use App Privacy Report mitmproxy helper and Wireshark Helper capture packets to determine what to modify. The principle difference of mobile phone packet capture software
Use tun2brook to debug the script so you can print data inside the script
macOS and Windows need to enable tun mode
It is recommended to enable it only when necessary. Prevent the log file from being too large.
To receive pushes, Apple Server only allows Ethernet, cellular data, Wi-Fi connections. So you need to Bypass the relevant domain name and IP:
https://support.apple.com/en-us/HT210060
https://support.apple.com/en-us/HT210060
Domain
apple.com
icloud.com
cdn-apple.com
mzstatic.com
entrust.net
digicert.com
verisign.net
apple
CIDR4
17.0.0.0/8
103.81.148.0/22
103.81.148.0/24
103.81.149.0/24
CIDR6
2620:149:a44::/48
2403:300:a42::/48
2403:300:a51::/48
2a01:b740:a42::/48