@Shiraira2 年前
11/7
22:12
前言
今天在查看TLS in TLS相关问题的分析时,偶然看到这篇文章:V2Ray的进阶用法(2): MITM
其中对自己进行MITM攻击的做法,使得与Client端与Server端的加密流量中只存在HTTP数据,从而完全避免了TLS in TLS特征,虽然实用性不高,但想法十分奇特,且配置较为复杂。
虽然不打算实际使用,但可以利用这个机会,理解V2ray的工作原理和配置原理。
首先是比较难以理解的客户端配置:
{
"inbound": { \\入口,socks5代理方式,前往routing分块
"allowPassive": true,
"listen": "127.0.0.1",
"port": 10854,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
},
"tag": "vanillas"
},
"inboundDetour": [
{ \\入口,HTTP代理方式,与socks可视作平级,前往routing分块
"listen": "127.0.0.1",
"port": 10855,
"protocol": "http",
"settings": {},
"tag": "vanilla"
},
{ \\10856端口MITM区块
"listen": "0.0.0.0",
"port": 10856,
"tag": "mitm",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"timeout": 0,
"address": "kiri.moe", \\因为配置了followRedirect,所以此项相当于无效
"port": 443,
"followRedirect": true \\强制将流量转发至目标网站IP(用户所访问的网站的IP),因为此处TAG为MITM,未与任何outbound/outbounDdetour区块匹配,自动使用兜底outbound
},
"streamSettings": { \\设置与客户端浏览器通讯时,使用HTTPS协议,并在取得TLS数据包后剥离,此时本协议传入的数据均为纯HTTP流量;与此同时,接收服务端传来的纯HTTP流量,包装为TLS流量传给用户(浏览器)
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"alpn": [
"http/1.1"
],
"certificates": [
{
"usage": "issue",
"alpn": [
"http/1.1"
],
"certificateFile": "/path/to/ca.cer",
"keyFile": "/path/to/ca.key"
}
]
}
},
"sniffing": {
"enabled": false,
"destOverride": [
"http",
"tls"
]
}
}
],
"log": {
"access": "",
"error": "",
"loglevel": "info"
},
"outbound": { \\最终兜底outbound,标签不匹配的或没有标签的流量全都从本区块定义的方式流出
\\经MITM区块剥离TLS后得到的HTTP流量经此流出,送往服务端的11451端口
"mux": {
"enabled": true
},
"protocol": "vmess",
"proxySettings": {
"tag": "proxy"
},
"settings": {
"vnext": [
{
"address": "YOUR_IP",
"port": 11451,
"users": [
{
"alterId": 16,
"id": "b4fe5665-cebe-d292-0e66-9139958200f4",
"level": 0,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "none"
}
},
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
},
{ \\outboundDetour-reentry区块,把带有reentry标签的流量送往10856端口的MITM区块
"protocol": "freedom",
"settings": {
"redirect": "127.0.0.1:10856"
},
"tag": "reentry"
},
{ \\outboundDetour-notouch区块,在Routing里判断的非HTTPS(notouch)流量经此流出,送往服务端的11452端口
"mux": {
"enabled": true
},
"protocol": "vmess",
"proxySettings": {
"tag": "proxy"
},
"settings": {
"vnext": [
{
"address": "YOUR_IP",
"port": 11452,
"users": [
{
"alterId": 16,
"id": "b4fe5665-cebe-d292-0e66-9139958200f4",
"level": 0,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "none"
},
"tag": "notouch"
}
],
"routing": { \\对入站代理流量进行判断
"settings": {
"rules": [ \\首先匹配IP规则,直连局域网流量,对代理流量进入下一Tag分流区块
{
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct",
"type": "field"
},
{ \\处理由socks代理与http代理接收的入站流量
"inboundTag": [
"vanilla", \\http流量
"vanillas" \\socks流量
],
"port": "443", \\如果请求的目标服务器端口为443,则套用MITM规则,打上reentry标签,前往outboundDetour-reentry区块
"outboundTag": "reentry",
"type": "field"
},
{ \\如果请求目标端口非443,判断为非HTTPS流量,走正常方式,打上notouch标签,前往outboundDetour-notouch区块
"inboundTag": [
"vanilla",
"vanillas"
],
"port": "0-442", \\非443
"outboundTag": "notouch",
"type": "field"
},
{
"inboundTag": [
"vanilla",
"vanillas"
],
"port": "444-65535", \\非443
"outboundTag": "notouch",
"type": "field"
}
]
},
"strategy": "rules"
}
}
随后是相对比较简单的服务端配置:
{ \\11451端口,接收剥离了TLS的纯HTTP流量,送往outbound
"inbound": {
"allowPassive": true,
"port": 11451,
"protocol": "vmess",
"settings": {
"clients": [
{
"alterId": 16,
"id": "b4fe5665-cebe-d292-0e66-9139958200f4",
"level": 1,
"security": "auto"
}
]
},
"streamSettings": {
"network": "tcp",
"security": "none"
}
},
"inboundDetour": [
{ \\11452端口,接收普通流量,打上notouch标签,送往outboundDetour
"allowPassive": true,
"port": 11452,
"tag": "notouch",
"protocol": "vmess",
"settings": {
"clients": [
{
"alterId": 16,
"id": "b4fe5665-cebe-d292-0e66-9139958200f4",
"level": 1,
"security": "auto"
}
]
},
"streamSettings": {
"network": "tcp",
"security": "none"
}
}
],
"log": {
"access": "",
"error": "",
"loglevel": "info"
},
"outbound": { \\处理11451端口取得的流量
"protocol": "freedom",
"settings": {
"domainStrategy": "AsIs",
"timeout": 0
},
"streamSettings": { \\使用TLS与用户要访问的目标服务器进行通讯,并剥离后取得纯HTTP流量;或者将纯HTTP流量包装为TLS流量发往目标服务器
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"alpn": [
"http/1.1"
]
}
}
},
"outboundDetour": [
{ \\处理notouch流量
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
},
{
"protocol": "freedom",
"tag": "nointercept",
"settings": {
"domainStrategy": "AsIs",
"timeout": 0
},
"streamSettings": {
"security": "none"
}
}
],
"routing": {
"settings": {
"rules": [
{
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked",
"type": "field"
},
{
"inboundTag": [
"notouch"
],
"outboundTag": "nointercept",
"type": "field"
}
]
},
"strategy": "rules"
}
}