Merge pull request #14 from shadowy-pycoder/udp

Udp support for transparent proxy with DNS queries sniffing

Author: shadowy-pycoder

README.md

@@ -20,6 +20,7 @@
 - [Transparent proxy](#transparent-proxy)
   - [redirect (via NAT and SO_ORIGINAL_DST)](#redirect-via-nat-and-so_original_dst)
   - [tproxy (via MANGLE and IP_TRANSPARENT)](#tproxy-via-mangle-and-ip_transparent)
+  - [UDP support](#udp-support)
   - [ARP spoofing](#arp-spoofing)
 - [Traffic sniffing](#traffic-sniffing)
   - [JSON format](#json-format)
@@ -62,8 +63,11 @@ Specify http server in proxy configuration of Postman
 - **Transparent proxy**\
   Supports `redirect` (SO_ORIGINAL_DST) and `tproxy` (IP_TRANSPARENT) modes
 
+- **TCP and UDP Transparent proxy**\
+  `tproxy` (IP_TRANSPARENT) handles TCP and UDP traffic
+
 - **Traffic sniffing**\
-  Proxy is able to parse HTTP headers and TLS handshake metadata
+  Proxy is able to parse HTTP headers, TLS handshake, DNS messages and more
 
 - **ARP spoofing**\
   Proxy entire subnets with ARP spoofing approach
@@ -101,7 +105,7 @@ You can download the binary for your platform from [Releases](https://github.com
 Example:
 
 ```shell
-GOHPTS_RELEASE=v1.9.4; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$GOHPTS_RELEASE/gohpts-$GOHPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$GOHPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
+GOHPTS_RELEASE=v2.0.0; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$GOHPTS_RELEASE/gohpts-$GOHPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$GOHPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
 ```
 
 Alternatively, you can install it using `go install` command (requires Go [1.24](https://go.dev/doc/install) or later):
@@ -168,6 +172,7 @@ Options:
   TProxy:
   -t        Address of transparent proxy server (it starts along with HTTP proxy server)
   -T        Address of transparent proxy server (no HTTP)
+  -Tu       Address of transparent UDP proxy server
   -M        Transparent proxy mode: (redirect, tproxy)
   -auto     Automatically setup iptables for transparent proxy (requires elevated privileges)
   -arpspoof Enable ARP spoof proxy for selected targets (Example: "targets 10.0.0.1,10.0.0.5-10,192.168.1.*,192.168.10.0/24;fullduplex false;debug true")
@@ -521,6 +526,30 @@ sudo bettercap -eval "net.probe on;net.recon on;set arp.spoof.fullduplex true;ar
 
 Check proxy logs for traffic from other devices from your LAN
 
+### UDP support
+
+`GoHPTS` has UDP support that can be enabled in `tproxy` mode. For this setup to work you need to connect to a socks5 server capable of serving UDP connections (`UDP ASSOCIATE`). For example, you can use [https://github.com/wzshiming/socks5](https://github.com/wzshiming/socks5) to deploy UDP capable socks5 server on some remote or local machine. Once you have the server to connect to, run the following command:
+
+```shell
+sudo env PATH=$PATH gohpts -s remote -Tu :8989 -M tproxy -auto -mark 100 -d
+```
+
+This command will configure your operating system and setup server on `0.0.0.0:8989` address.
+
+To test it locally, you can combine UDP transparent proxy with `-arpspoof` flag. For example:
+
+1. Setup VM on your system with any Linux distributive that supports `tproxy` (Kali Linux, for instance).
+2. Enable `bridged` network so that VM could access your host machine.
+3. Move `gohpts` binary to VM (via `ssh`, for instance) or build it there in case of different OS/arch.
+4. On your VM run the following command:
+
+```shell
+# Do not forget to replace <socks5 server> and <your host> with actual addresses
+sudo ./gohpts -s <socks5 server> -T 8888 -Tu :8989 -M tproxy -sniff -body -auto -mark 100 -d -arpspoof "targets <your host>;fullduplex true;debug false"
+```
+
+4. Check connection on your host machine, the traffic should go through Kali machine.
+
 ## Traffic sniffing
 
 [[Back]](#table-of-contents)

cmd/gohpts/cli.go

@@ -62,6 +62,7 @@ const usageTproxy string = `
   TProxy:
   -t        Address of transparent proxy server (it starts along with HTTP proxy server)
   -T        Address of transparent proxy server (no HTTP)
+  -Tu       Address of transparent UDP proxy server
   -M        Transparent proxy mode: (redirect, tproxy)
   -auto     Automatically setup iptables for transparent proxy (requires elevated privileges)
   -arpspoof Enable ARP spoof proxy for selected targets (Example: "targets 10.0.0.1,10.0.0.5-10,192.168.1.*,192.168.10.0/24;fullduplex false;debug true")
@@ -106,6 +107,7 @@ func root(args []string) error {
 	if runtime.GOOS == tproxyOS {
 		flags.StringVar(&conf.TProxy, "t", "", "Address of transparent proxy server (it starts along with HTTP proxy server)")
 		flags.StringVar(&conf.TProxyOnly, "T", "", "Address of transparent proxy server (no HTTP)")
+		flags.StringVar(&conf.TProxyUDP, "Tu", "", "Address of transparent UDP proxy server")
 		flags.Func("M", fmt.Sprintf("Transparent proxy mode: %s", gohpts.SupportedTProxyModes), func(flagValue string) error {
 			if !slices.Contains(gohpts.SupportedTProxyModes, flagValue) {
 				fmt.Fprintf(os.Stderr, "%s: %s is not supported (type '%s -h' for help)\n", app, flagValue, app)
@@ -176,19 +178,27 @@ func root(args []string) error {
 			return fmt.Errorf("transparent proxy mode is not provided: -M flag")
 		}
 	}
+	if seen["Tu"] {
+		if !seen["M"] {
+			return fmt.Errorf("transparent proxy mode is not provided: -M flag")
+		}
+		if conf.TProxyMode != "tproxy" {
+			return fmt.Errorf("transparent UDP proxy require tproxy mode")
+		}
+	}
 	if seen["M"] {
-		if !seen["t"] && !seen["T"] {
-			return fmt.Errorf("transparent proxy mode requires -t or -T flag")
+		if !seen["t"] && !seen["T"] && !seen["Tu"] {
+			return fmt.Errorf("transparent proxy mode requires -t, -T or -Tu flag")
 		}
 	}
 	if seen["auto"] {
-		if !seen["t"] && !seen["T"] {
-			return fmt.Errorf("-auto requires -t or -T flag")
+		if !seen["t"] && !seen["T"] && !seen["Tu"] {
+			return fmt.Errorf("-auto requires -t, -T or -Tu flag")
 		}
 	}
 	if seen["mark"] {
-		if !seen["t"] && !seen["T"] {
-			return fmt.Errorf("-mark requires -t or -T flag")
+		if !seen["t"] && !seen["T"] && !seen["Tu"] {
+			return fmt.Errorf("-mark requires -t, -T or -Tu flag")
 		}
 	}
 	if seen["f"] {

colorize.go

@@ -18,10 +18,10 @@ import (
 
 var (
 	ipPortPattern = regexp.MustCompile(
-		`\b(?:\d{1,3}\.){3}\d{1,3}(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?\b`,
+		`(?:\[(?:[0-9a-fA-F:.]+)\]|(?:\d{1,3}\.){3}\d{1,3})(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?`,
 	)
 	domainPattern = regexp.MustCompile(
-		`\b(?:[a-zA-Z0-9-]{1,63}\.)+(?:com|net|org|io|co|uk|ru|de|edu|gov|info|biz|dev|app|ai)(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?\b`,
+		`\b(?:[a-zA-Z0-9-]{1,63}\.)+(?:com|net|org|io|co|uk|ru|de|edu|gov|info|biz|dev|app|ai|tv)(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?\b`,
 	)
 	jwtPattern  = regexp.MustCompile(`\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b`)
 	authPattern = regexp.MustCompile(
@@ -187,9 +187,9 @@ func colorizeHTTP(
 
 func colorizeTLS(req *layers.TLSClientHello, resp *layers.TLSServerHello, id string, nocolor bool) string {
 	var sb strings.Builder
+	sb.WriteString(fmt.Sprintf("%s ", colorizeTimestamp(time.Now(), nocolor)))
+	sb.WriteString(id)
 	if nocolor {
-		sb.WriteString(fmt.Sprintf("%s ", colorizeTimestamp(time.Now(), nocolor)))
-		sb.WriteString(id)
 		sb.WriteString(fmt.Sprintf(" %s ", req.TypeDesc))
 		if req.Length > 0 {
 			sb.WriteString(fmt.Sprintf(" Len: %d", req.Length))
@@ -224,8 +224,6 @@ func colorizeTLS(req *layers.TLSClientHello, resp *layers.TLSServerHello, id str
 			sb.WriteString(fmt.Sprintf(" ExtLen: %d", resp.ExtensionLength))
 		}
 	} else {
-		sb.WriteString(fmt.Sprintf("%s ", colorizeTimestamp(time.Now(), nocolor)))
-		sb.WriteString(id)
 		sb.WriteString(colors.Magenta(fmt.Sprintf(" %s ", req.TypeDesc)).Bold())
 		if req.Length > 0 {
 			sb.WriteString(colors.BeigeBg(fmt.Sprintf(" Len: %d", req.Length)).String())
@@ -263,6 +261,98 @@ func colorizeTLS(req *layers.TLSClientHello, resp *layers.TLSServerHello, id str
 	return sb.String()
 }
 
+func colorizeRData(rec *layers.ResourceRecord) string {
+	var rdata string
+	switch rd := rec.RData.(type) {
+	case *layers.RDataA:
+	case *layers.RDataAAAA:
+		rdata = fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rd.Address.String()))
+	case *layers.RDataNS:
+		rdata = fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rd.NsdName))
+	case *layers.RDataCNAME:
+		rdata = fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rd.CName))
+	case *layers.RDataSOA:
+		rdata = fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rd.PrimaryNS))
+	case *layers.RDataMX:
+		rdata = fmt.Sprintf("%s %s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(fmt.Sprintf("%d", rd.Preference)), colors.Gray(rd.Exchange))
+	case *layers.RDataTXT:
+		rdata = fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rd.TxtData))
+	default:
+		rdata = fmt.Sprintf("%s ", colors.LightBlue(rec.Type.Name))
+	}
+	return rdata
+}
+
+func colorizeDNS(req, resp *layers.DNSMessage, id string, nocolor bool) string {
+	var sb strings.Builder
+	sb.WriteString(fmt.Sprintf("%s ", colorizeTimestamp(time.Now(), nocolor)))
+	sb.WriteString(id)
+	if nocolor {
+		sb.WriteString(fmt.Sprintf(" DNS %s (%s) %#04x ", req.Flags.OPCodeDesc, req.Flags.QRDesc, req.TransactionID))
+		for _, rec := range req.Questions {
+			sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
+		}
+		for _, rec := range req.AnswerRRs {
+			sb.WriteString(rec.Summary())
+		}
+		for _, rec := range req.AuthorityRRs {
+			sb.WriteString(rec.Summary())
+		}
+		for _, rec := range req.AdditionalRRs {
+			sb.WriteString(rec.Summary())
+		}
+		sb.WriteString("\n")
+		sb.WriteString(fmt.Sprintf("%s ", colorizeTimestamp(time.Now(), nocolor)))
+		sb.WriteString(id)
+		sb.WriteString(fmt.Sprintf(" DNS %s (%s) %#04x ", resp.Flags.OPCodeDesc, resp.Flags.QRDesc, resp.TransactionID))
+		for _, rec := range resp.Questions {
+			sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
+		}
+		for _, rec := range resp.AnswerRRs {
+			sb.WriteString(rec.Summary())
+		}
+		for _, rec := range resp.AuthorityRRs {
+			sb.WriteString(rec.Summary())
+		}
+		for _, rec := range resp.AdditionalRRs {
+			sb.WriteString(rec.Summary())
+		}
+	} else {
+		sb.WriteString(colors.Gray(fmt.Sprintf(" DNS %s (%s)", req.Flags.OPCodeDesc, req.Flags.QRDesc)).Bold())
+		sb.WriteString(colors.Beige(fmt.Sprintf(" %#04x ", req.TransactionID)).String())
+		for _, rec := range req.Questions {
+			sb.WriteString(fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rec.Name)))
+		}
+		for _, rec := range req.AnswerRRs {
+			sb.WriteString(colorizeRData(rec))
+		}
+		for _, rec := range req.AuthorityRRs {
+			sb.WriteString(colorizeRData(rec))
+		}
+		for _, rec := range req.AdditionalRRs {
+			sb.WriteString(colorizeRData(rec))
+		}
+		sb.WriteString("\n")
+		sb.WriteString(fmt.Sprintf("%s ", colorizeTimestamp(time.Now(), nocolor)))
+		sb.WriteString(id)
+		sb.WriteString(colors.Blue(fmt.Sprintf(" DNS %s (%s)", resp.Flags.OPCodeDesc, resp.Flags.QRDesc)).Bold())
+		sb.WriteString(colors.Beige(fmt.Sprintf(" %#04x ", resp.TransactionID)).String())
+		for _, rec := range resp.Questions {
+			sb.WriteString(fmt.Sprintf("%s %s ", colors.LightBlue(rec.Type.Name), colors.Gray(rec.Name)))
+		}
+		for _, rec := range resp.AnswerRRs {
+			sb.WriteString(colorizeRData(rec))
+		}
+		for _, rec := range resp.AuthorityRRs {
+			sb.WriteString(colorizeRData(rec))
+		}
+		for _, rec := range resp.AdditionalRRs {
+			sb.WriteString(colorizeRData(rec))
+		}
+	}
+	return sb.String()
+}
+
 func highlightPatterns(line string, nocolor bool) (string, bool) {
 	matched := false
 
@@ -377,7 +467,7 @@ func colorizeConnections(srcRemote, srcLocal, dstRemote, dstLocal net.Addr, id s
 }
 
 func colorizeConnectionsTransparent(
-	srcRemote, srcLocal, dstRemote, dstLocal net.Addr,
+	srcRemote, srcLocal, dstLocal, dstRemote net.Addr,
 	dst,
 	id string,
 	nocolor bool,

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/rs/zerolog v1.34.0
 	github.com/shadowy-pycoder/colors v0.0.1
-	github.com/shadowy-pycoder/mshark v0.0.10
+	github.com/shadowy-pycoder/mshark v0.0.13
 	github.com/wzshiming/socks5 v0.5.2
 	golang.org/x/sys v0.33.0
 	golang.org/x/term v0.32.0
@@ -20,6 +20,7 @@ require (
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mdlayher/packet v1.1.2 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/packetcap/go-pcap v0.0.0-20240528124601-8c87ecf5dbc5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect

go.sum

@@ -8,6 +8,8 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gopacket/gopacket v1.2.0 h1:eXbzFad7f73P1n2EJHQlsKuvIMJjVXK5tXoSca78I3A=
+github.com/gopacket/gopacket v1.2.0/go.mod h1:BrAKEy5EOGQ76LSqh7DMAr7z0NNPdczWm2GxCG7+I8M=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/malfunkt/iprange v0.9.0 h1:VCs0PKLUPotNVQTpVNszsut4lP7OCGNBwX+lOYBrnVQ=
@@ -21,6 +23,8 @@ github.com/mdlayher/packet v1.1.2 h1:3Up1NG6LZrsgDVn6X4L9Ge/iyRyxFEFD9o6Pr3Q1nQY
 github.com/mdlayher/packet v1.1.2/go.mod h1:GEu1+n9sG5VtiRE4SydOmX5GTwyyYlteZiFU+x0kew4=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/packetcap/go-pcap v0.0.0-20240528124601-8c87ecf5dbc5 h1:p4VuaitqUAqSZSomd7Wb4BPV/Jj7Hno2/iqtfX7DZJI=
+github.com/packetcap/go-pcap v0.0.0-20240528124601-8c87ecf5dbc5/go.mod h1:zIAoVKeWP0mz4zXY50UYQt6NLg2uwKRswMDcGEqOms4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -30,8 +34,8 @@ github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/shadowy-pycoder/colors v0.0.1 h1:weCj/YIOupqy4BSP8KuVzr20fC+cuAv/tArz7bhhkP4=
 github.com/shadowy-pycoder/colors v0.0.1/go.mod h1:lkrJS1PY2oVigNLTT6pkbF7B/v0YcU2LD5PZnss1Q4U=
-github.com/shadowy-pycoder/mshark v0.0.10 h1:pLMIsgfvnO0oKeBNdy0fTGQsx//6scCPT52g93CqyT4=
-github.com/shadowy-pycoder/mshark v0.0.10/go.mod h1:FqbHFdsx0zMnrZZH0+oPzaFcleP4O+tUWv8i5gxo87k=
+github.com/shadowy-pycoder/mshark v0.0.13 h1:ROEuey/Th4YAmfRg8Xc17aboMs5fknQho4mNBC9h+KE=
+github.com/shadowy-pycoder/mshark v0.0.13/go.mod h1:FqbHFdsx0zMnrZZH0+oPzaFcleP4O+tUWv8i5gxo87k=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/wzshiming/socks5 v0.5.2 h1:LtoowVNwAmkIQSkP1r1Wg435xUmC+tfRxorNW30KtnM=