diff --git a/README.md b/README.md index d070e33..6a5ffac 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ ## 探测防御 - 设置参数密码-p 可开启探测防御功能,服务端检测到非被客户端发起的请求后将会作为标准的SNI代理服务器,转发用于伪装源站的所有流量,对主动探测者而言这台服务器是指定网站的官方服务器 - 若被大量请求可能造成服务器产生大量流量,注意风控 +- 引入utls组件,伪装TLS ClientHello指纹为Chrome 102版本,进一步对抗探测 ## 流量加密 - 设置加密密钥参数-k 可启用流量加密,密钥长度必须为16,24或32个字符 diff --git a/go.mod b/go.mod index 56fecda..8b1464b 100644 --- a/go.mod +++ b/go.mod @@ -3,10 +3,15 @@ module shadowTLS go 1.18 require ( + github.com/refraction-networking/utls v1.1.3 github.com/spf13/cobra v1.5.0 ) require ( + github.com/andybalholm/brotli v1.0.4 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/klauspost/compress v1.13.6 // indirect github.com/spf13/pflag v1.0.5 // indirect + golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa // indirect + golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect ) diff --git a/go.sum b/go.sum index e64da46..5b3bc48 100644 --- a/go.sum +++ b/go.sum @@ -1,12 +1,28 @@ +github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= +github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/refraction-networking/utls v1.1.3 h1:K9opY+iKxcGvHOBG2019wFEVtsNFh0f5WqHyc2i3iU0= +github.com/refraction-networking/utls v1.1.3/go.mod h1:+D89TUtA8+NKVFj1IXWr0p3tSdX1+SqUB7rL0QnGqyg= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/xtaci/smux v1.5.16 h1:FBPYOkW8ZTjLKUM4LI4xnnuuDC8CQ/dB04HD519WoEk= -github.com/xtaci/smux v1.5.16/go.mod h1:OMlQbT5vcgl2gb49mFkYo6SMf+zP3rcjcwQz7ZU7IGY= +golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa h1:idItI2DDfCokpg0N51B2VtiLdJ4vAuXC9fnCb2gACo4= +golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211111160137-58aab5ef257a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= diff --git a/shadow/client.go b/shadow/client.go index b8c9648..0b662c7 100644 --- a/shadow/client.go +++ b/shadow/client.go @@ -1,8 +1,8 @@ package shadow import ( - "crypto/tls" "fmt" + "github.com/refraction-networking/utls" "io" "net" "time" @@ -48,13 +48,13 @@ func handlerClient(conn net.Conn, serverAddress string, fakeAddressSNI string) { if HandshakePassword != "" { config.Rand = RandReaderObj } - dial, err := tls.DialWithDialer(&net.Dialer{ - Timeout: time.Second * 5, - }, "tcp", serverAddress, config) + + rawConn, err := net.DialTimeout("tcp", serverAddress, time.Second*5) if err != nil { fmt.Printf("[Client] Dial server error: %v\n", err) return } + dial := tls.UClient(rawConn, config, tls.HelloChrome_102) err = dial.Handshake() if err != nil { fmt.Printf("[Client] Handshake error: %v\n", err) diff --git a/shadow/client_test.go b/shadow/client_test.go index e02390e..dd1a55a 100644 --- a/shadow/client_test.go +++ b/shadow/client_test.go @@ -5,7 +5,10 @@ import ( "crypto/md5" "crypto/tls" "fmt" + utls "github.com/refraction-networking/utls" + "io/ioutil" "net" + "net/http" "testing" "time" ) @@ -64,3 +67,49 @@ func TestAes(t *testing.T) { fmt.Println(string(d)) } + +func TestTLSFingerprint(t *testing.T) { + + transport := http.Transport{ + DialTLS: func(network, adr string) (net.Conn, error) { + dial, err := net.Dial(network, adr) + if err != nil { + return nil, err + } + return wrapTLSClient(dial, time.Second*5) + }, + } + client := http.Client{ + Transport: &transport, + CheckRedirect: nil, + Jar: nil, + Timeout: 0, + } + get, err := client.Get("https://client.tlsfingerprint.io:8443/") + if err != nil { + return + } + all, err := ioutil.ReadAll(get.Body) + if err != nil { + return + } + fmt.Println(string(all)) + +} + +func wrapTLSClient(conn net.Conn, timeout time.Duration) (net.Conn, error) { + var err error + + conn.SetDeadline(time.Now().Add(timeout)) + defer conn.SetDeadline(time.Time{}) + + tlsConn := utls.UClient(conn, &utls.Config{ServerName: "client.tlsfingerprint.io"}, utls.HelloChrome_102) + + if err = tlsConn.Handshake(); err != nil { + fmt.Println(err.Error()) + tlsConn.Close() + return nil, err + } + + return tlsConn, err +}