@Shiraira2 年前

11/7
22:12
技术杂谈

V2ray进阶MITM用法配置分析

前言

今天在查看TLS in TLS相关问题的分析时,偶然看到这篇文章:V2Ray的进阶用法(2): MITM
其中对自己进行MITM攻击的做法,使得与Client端与Server端的加密流量中只存在HTTP数据,从而完全避免了TLS in TLS特征,虽然实用性不高,但想法十分奇特,且配置较为复杂。
虽然不打算实际使用,但可以利用这个机会,理解V2ray的工作原理和配置原理。

首先是比较难以理解的客户端配置:

{
  "inbound": {          \\入口,socks5代理方式,前往routing分块
    "allowPassive": true,
    "listen": "127.0.0.1",
    "port": 10854,
    "protocol": "socks",
    "settings": {
      "auth": "noauth",
      "udp": true
    },
    "tag": "vanillas"
  },
  "inboundDetour": [
    {                   \\入口,HTTP代理方式,与socks可视作平级,前往routing分块
      "listen": "127.0.0.1",
      "port": 10855,
      "protocol": "http",
      "settings": {},
      "tag": "vanilla"
    },
    {                   \\10856端口MITM区块
      "listen": "0.0.0.0",
      "port": 10856,
      "tag": "mitm",
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp",
        "timeout": 0,
        "address": "kiri.moe",  \\因为配置了followRedirect,所以此项相当于无效
        "port": 443,
        "followRedirect": true  \\强制将流量转发至目标网站IP(用户所访问的网站的IP),因为此处TAG为MITM,未与任何outbound/outbounDdetour区块匹配,自动使用兜底outbound
      },
      "streamSettings": {       \\设置与客户端浏览器通讯时,使用HTTPS协议,并在取得TLS数据包后剥离,此时本协议传入的数据均为纯HTTP流量;与此同时,接收服务端传来的纯HTTP流量,包装为TLS流量传给用户(浏览器)
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": false,
          "alpn": [
            "http/1.1"
          ],
          "certificates": [
            {
              "usage": "issue",
              "alpn": [
                "http/1.1"
              ],
              "certificateFile": "/path/to/ca.cer",
              "keyFile": "/path/to/ca.key"
            }
          ]
        }
      },
      "sniffing": {
        "enabled": false,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }
  ],
  "log": {
    "access": "",
    "error": "",
    "loglevel": "info"
  },
  "outbound": {                 \\最终兜底outbound,标签不匹配的或没有标签的流量全都从本区块定义的方式流出
                                \\经MITM区块剥离TLS后得到的HTTP流量经此流出,送往服务端的11451端口
    "mux": {
      "enabled": true
    },
    "protocol": "vmess",
    "proxySettings": {
      "tag": "proxy"
    },
    "settings": {
      "vnext": [
        {
          "address": "YOUR_IP",
          "port": 11451,
          "users": [
            {
              "alterId": 16,
              "id": "b4fe5665-cebe-d292-0e66-9139958200f4",
              "level": 0,
              "security": "auto"
            }
          ]
        }
      ]
    },
    "streamSettings": {
      "network": "tcp",
      "security": "none"
    }
  },
  "outboundDetour": [
    {
      "protocol": "freedom",
      "settings": {},
      "tag": "direct"
    },
    {                       \\outboundDetour-reentry区块,把带有reentry标签的流量送往10856端口的MITM区块
      "protocol": "freedom",
      "settings": {
        "redirect": "127.0.0.1:10856"
      },
      "tag": "reentry"
    },
    {                   \\outboundDetour-notouch区块,在Routing里判断的非HTTPS(notouch)流量经此流出,送往服务端的11452端口
      "mux": {
        "enabled": true
      },
      "protocol": "vmess",
      "proxySettings": {
        "tag": "proxy"
      },
      "settings": {
        "vnext": [
          {
            "address": "YOUR_IP",
            "port": 11452,
            "users": [
              {
                "alterId": 16,
                "id": "b4fe5665-cebe-d292-0e66-9139958200f4",
                "level": 0,
                "security": "auto"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "none"
      },
      "tag": "notouch"
    }
  ],
  "routing": {              \\对入站代理流量进行判断
    "settings": {
      "rules": [            \\首先匹配IP规则,直连局域网流量,对代理流量进入下一Tag分流区块
        {
          "ip": [
            "0.0.0.0/8",
            "10.0.0.0/8",
            "100.64.0.0/10",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.0.0.0/24",
            "192.0.2.0/24",
            "192.168.0.0/16",
            "198.18.0.0/15",
            "198.51.100.0/24",
            "203.0.113.0/24",
            "::1/128",
            "fc00::/7",
            "fe80::/10"
          ],
          "outboundTag": "direct",
          "type": "field"
        },
        {                   \\处理由socks代理与http代理接收的入站流量
          "inboundTag": [
            "vanilla",      \\http流量
            "vanillas"      \\socks流量
          ],
          "port": "443",    \\如果请求的目标服务器端口为443,则套用MITM规则,打上reentry标签,前往outboundDetour-reentry区块
          "outboundTag": "reentry",
          "type": "field"
        },
        {                   \\如果请求目标端口非443,判断为非HTTPS流量,走正常方式,打上notouch标签,前往outboundDetour-notouch区块
          "inboundTag": [
            "vanilla",
            "vanillas"
          ],
          "port": "0-442",  \\非443
          "outboundTag": "notouch",
          "type": "field"
        },
        {
          "inboundTag": [
            "vanilla",
            "vanillas"
          ],
          "port": "444-65535",  \\非443
          "outboundTag": "notouch",
          "type": "field"
        }
      ]
    },
    "strategy": "rules"
  }
}

随后是相对比较简单的服务端配置:

{               \\11451端口,接收剥离了TLS的纯HTTP流量,送往outbound
  "inbound": {
    "allowPassive": true,
    "port": 11451,
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "alterId": 16,
          "id": "b4fe5665-cebe-d292-0e66-9139958200f4",
          "level": 1,
          "security": "auto"
        }
      ]
    },
    "streamSettings": {
      "network": "tcp",
      "security": "none"
    }
  },
  "inboundDetour": [
    {                       \\11452端口,接收普通流量,打上notouch标签,送往outboundDetour
      "allowPassive": true,
      "port": 11452,
      "tag": "notouch",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "alterId": 16,
            "id": "b4fe5665-cebe-d292-0e66-9139958200f4",
            "level": 1,
            "security": "auto"
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "none"
      }
    }
  ],
  "log": {
    "access": "",
    "error": "",
    "loglevel": "info"
  },
  "outbound": {             \\处理11451端口取得的流量
    "protocol": "freedom",
    "settings": {
      "domainStrategy": "AsIs",
      "timeout": 0
    },
    "streamSettings": {     \\使用TLS与用户要访问的目标服务器进行通讯,并剥离后取得纯HTTP流量;或者将纯HTTP流量包装为TLS流量发往目标服务器
      "security": "tls",
      "tlsSettings": {
        "allowInsecure": false,
        "alpn": [
          "http/1.1"
        ]
      }
    }
  },
  "outboundDetour": [
    {               \\处理notouch流量
      "protocol": "blackhole",
      "settings": {},
      "tag": "blocked"
    },
    {
      "protocol": "freedom",
      "tag": "nointercept",
      "settings": {
        "domainStrategy": "AsIs",
        "timeout": 0
      },
      "streamSettings": {
        "security": "none"
      }
    }
  ],
  "routing": {
    "settings": {
      "rules": [
        {
          "ip": [
            "0.0.0.0/8",
            "10.0.0.0/8",
            "100.64.0.0/10",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.0.0.0/24",
            "192.0.2.0/24",
            "192.168.0.0/16",
            "198.18.0.0/15",
            "198.51.100.0/24",
            "203.0.113.0/24",
            "::1/128",
            "fc00::/7",
            "fe80::/10"
          ],
          "outboundTag": "blocked",
          "type": "field"
        },
        {
          "inboundTag": [
            "notouch"
          ],
          "outboundTag": "nointercept",
          "type": "field"
        }
      ]
    },
    "strategy": "rules"
  }
}

V2ray进阶MITM用法配置分析