jerry
/
go-socks5-ssh-proxy
mirror of https://github.com/xor-gate/go-socks5-ssh-proxy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: jerry:ee933011a0ad5ef04a6b9b1af4164a51c10565f1
Branches Tags
jerry:main
jerry:freebsd-build
..
compare: jerry:c322d01d2965b84b707a54b725322fc66b3f4c3a
Branches Tags
jerry:main
jerry:freebsd-build

No commits in common. "ee933011a0ad5ef04a6b9b1af4164a51c10565f1" and "c322d01d2965b84b707a54b725322fc66b3f4c3a" have entirely different histories.
ee933011a0 ... c322d01d29

9 changed files with 32 additions and 296 deletions
Show Stats Expand all files Collapse all files

92
.github/workflows/build.yml vendored
View File

@ -1,4 +1,5 @@
name: Build go-socks5-ssh-proxy name: GitHub Actions Demo
run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
on: on:
pull_request: pull_request:
@ -12,91 +13,28 @@ env:
# The go version to use for builds. We set check-latest to true when # The go version to use for builds. We set check-latest to true when
# installing, so we get the latest patch version that matches the # installing, so we get the latest patch version that matches the
# expression. # expression.
GO_VERSION: "~1.22.5" GO_VERSION: "~1.22.3"
jobs: jobs:
release: Explore-GitHub-Actions:
name: Build release
environment: prod
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
- run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
- run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v4 uses: actions/checkout@v4
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: ${{ env.GO_VERSION }} go-version: ${{ env.GO_VERSION }}
cache: true cache: true
check-latest: true check-latest: true
- run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
- name: Use config_release.go from action secrets - run: echo "🖥️ The workflow is now ready to test your code on the runner."
uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe... - name: List files in the repository
with: run: |
base64-encoded-secret: ${{ secrets.CONFIG_RELEASE_GO_FILE }} ls ${{ github.workspace }}
filename: "config_release.go" - run: echo "🍏 This job's status is ${{ job.status }}."
- run: make ci
- name: Use resources/ssh_private_key from action secrets
uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
with:
base64-encoded-secret: ${{ secrets.RESOURCES_SSH_PRIVATE_KEY }}
filename: "ssh_private_key"
working-directory: "./resources"
- run: make release
- name: Store release artifacts
uses: actions/upload-artifact@v4
with:
name: dist-release
path: |
dist
release-dll:
name: Build release DLL
environment: prod
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
check-latest: true
- name: Set up MinGW
uses: egor-tensin/setup-mingw@v2
with:
platform: x64
- name: Use config_release.go from action secrets
uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
with:
base64-encoded-secret: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
filename: "config_release.go"
- name: Use resources/ssh_private_key from action secrets
uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
with:
base64-encoded-secret: ${{ secrets.RESOURCES_SSH_PRIVATE_KEY }}
filename: "ssh_private_key"
working-directory: "./resources"
- name: Run GoReleaser to build release DLL
uses: goreleaser/goreleaser-action@v6
with:
# either 'goreleaser' (default) or 'goreleaser-pro'
distribution: goreleaser
# 'latest', 'nightly', or a semver
version: '~> v2'
args: release --clean --snapshot
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CONFIG_RELEASE_GO_FILE: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
- name: Store release artifacts
uses: actions/upload-artifact@v4
with:
name: dist-release-dll
path: |
dist

58
.github/workflows/obfuscate.yaml.snippet vendored
View File

@ -1,58 +0,0 @@
release-obfuscate:
name: Build release obfuscated
runs-on: windows-latest
needs:
- release
- release-dll
steps:
- name: Check out Alcatraz
uses: actions/checkout@v4
with:
repository: 'weak1337/Alcatraz'
- name: Download release artifacts
uses: actions/download-artifact@v4
with:
name: dist-release
- name: Download release-dll artifacts
uses: actions/download-artifact@v4
with:
name: dist-release-dll
- name: Dir
run: "Get-ChildItem -Path . -Force -Recurse"
- name: Run Alcatraz-con.exe on release EXE
run: "./x64/Release/Alcatraz-con.exe socks5-ssh-proxy.exe"
- name: Run Alcatraz-con.exe on release DLL
run: "./x64/Release/Alcatraz-con.exe dll_windows_amd64_v1/go-socks5-ssh-proxy.dll"
- name: Create dist directory and move obfuscated artifacts
run: |
# Define source files and destination directory
$sourceFiles = @("socks5-ssh-proxy.exe", "dll_windows_amd64_v1/go-socks5-ssh-proxy.dll")
$destinationDir = "dist"
# Create the destination directory if it doesn't exist
if (-not (Test-Path -Path $destinationDir)) {
New-Item -ItemType Directory -Path $destinationDir
}
# Move each file to the destination directory
foreach ($file in $sourceFiles) {
if (Test-Path -Path $file) {
Move-Item -Path $file -Destination $destinationDir
Write-Output "Moved $file to $destinationDir"
} else {
Write-Output "File $file does not exist"
}
}
- name: Store release artifacts
uses: actions/upload-artifact@v4
with:
name: dist-release-obfuscated
path: |
dist

6
.gitignore vendored
View File

@ -1,11 +1,7 @@
.DS_Store .DS_Store
socks5-ssh-proxy socks5-ssh-proxy
resources/ssh_* resources/ssh_*
config_release*.go config_release.go
config_template_*.go
socks5-ssh-proxy.release socks5-ssh-proxy.release
*.base64
*.exe *.exe
*.zip *.zip
dist/

55
.goreleaser.yaml
View File

@ -1,55 +0,0 @@
# This is an example .goreleaser.yml file with some sensible defaults.
# Make sure to check the documentation at https://goreleaser.com
# The lines below are called `modelines`. See `:help modeline`
# Feel free to remove those if you don't want/need to use them.
# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
# vim: set ts=2 sw=2 tw=0 fo=cnqoj
version: 2
before:
hooks:
# You may remove this if you don't use go modules.
- go mod tidy
# you may remove this if you don't need go generate
- go generate ./...
builds:
- id: "dll"
env:
- CGO_ENABLED=1
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
ldflags:
- -H=windowsgui
buildmode: c-shared
tags:
- release
- dll
archives:
- format: tar.gz
# this name template makes the OS and Arch compatible with the results of `uname`.
name_template: >-
{{ .ProjectName }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
{{- if .Arm }}v{{ .Arm }}{{ end }}
# use zip for windows archives
format_overrides:
- goos: windows
format: zip
changelog:
sort: asc
filters:
exclude:
- "^docs:"
- "^test:"

25
Makefile
View File

@ -1,12 +1,13 @@
SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go
GARBLE_BIN = $(shell go env GOPATH)/bin/garble GARBLE_BIN = $(shell go env GOPATH)/bin/garble
GO_ENV_VARS = CGO_ENABLED=0
all: socks5-ssh-proxy all: socks5-ssh-proxy
ci: release ci: secrets release
secrets:
cat $(CONFIG_RELEASE_GO_FILE) > config_release.go
release: socks5-ssh-proxy.release socks5-ssh-proxy.exe release: socks5-ssh-proxy.release socks5-ssh-proxy.exe
mkdir -v -p dist
cp -v $^ dist
test: socks5-ssh-proxy test: socks5-ssh-proxy
cp socks5-ssh-proxy ~/.ssh; cd ~/.ssh; ~/.ssh/socks5-ssh-proxy cp socks5-ssh-proxy ~/.ssh; cd ~/.ssh; ~/.ssh/socks5-ssh-proxy
@ -15,16 +16,10 @@ test-release: socks5-ssh-proxy.release
socks5-ssh-proxy: $(SOURCES) socks5-ssh-proxy: $(SOURCES)
go build -o $@ go build -o $@
socks5-ssh-proxy.release: resources $(SOURCES) socks5-ssh-proxy.release: resources $(SOURCES)
GOOS=darwin GOARCH=amd64 $(GO_ENV_VARS) go build -tags release -o $@ $(GO_ENV_VARS) go build -tags release -o $@
upx $@
win: socks5-ssh-proxy.exe win: socks5-ssh-proxy.exe
#socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES) socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
# GOOS=windows GOARCH=amd64 $(GARBLE_BIN) build -ldflags -H=windowsgui -tags release -o $@ GOOS=windows GOARCH=amd64 $(GARBLE_BIN) build -ldflags -H=windowsgui -tags release -o $@
socks5-ssh-proxy.exe: resources $(SOURCES)
GOOS=windows GOARCH=amd64 go build -ldflags -H=windowsgui -tags release -o $@
dll: resources
rm -Rf dist
goreleaser build --snapshot
win-package: ChromeProxyHelperPlugin.zip win-package: ChromeProxyHelperPlugin.zip
ChromeProxyHelperPlugin.zip: socks5-ssh-proxy.exe ChromeProxyHelperPlugin.zip: socks5-ssh-proxy.exe
cp socks5-ssh-proxy.exe chrome_proxy.exe cp socks5-ssh-proxy.exe chrome_proxy.exe
@ -46,8 +41,6 @@ clean-key:
config_release.go: config_release.go:
cp config_template.go $@ cp config_template.go $@
sed -i '' 's/!release/release/g' $@ sed -i '' 's/!release/release/g' $@
config_release.go.base64: config_release.go
base64 -i $< -o $@
resources: resources/ssh_private_key resources: resources/ssh_private_key
resources/ssh_private_key: resources/ssh_private_key:
@ -56,9 +49,5 @@ resources/ssh_private_key:
@echo "=====================================" @echo "====================================="
@cat $@.pub @cat $@.pub
@echo "=====================================" @echo "====================================="
resources/ssh_private_key.base64: resources/ssh_private_key
base64 -i $< -o $@
secrets: config_release.go.base64 resources/ssh_private_key.base64
.phony: clean test win .phony: clean test win

66
README.md
View File

@ -1,42 +1,13 @@
# socks5-ssh-proxy # socks5-ssh-proxy
If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy over SSH using a [Jump server](https://en.wikipedia.org/wiki/Jump_server). Beat the (corporate) sensorship, and be free! If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy. Beat the sensorship, and be free!
## Background information
The proxy can use [SSHFP DNS record](https://en.wikipedia.org/wiki/SSHFP_record) verification for extra protection so the SSH host public key is side-channel checked.
The `release` build target is fully silent as `os.stdout` and `os.stderr` is written to `/dev/null`. Also it embeds the configuration to the SSH jump host (see `config_template.go` copied to `config_release.go`).
## Server installation ## Server installation
When using OpenSSH server a special `tunnel` user should be created. It must configured no PTY could be created (interactive mode). So the client is unable to execute commands on the SSH jump host. For SSHFP check:
### `/etc/ssh/sshd_config` - Create SSHFP DNS records use `ssh-keygen -r` on the server
- Configure DNS server with those records
The following OpenSSH daemon options could be set. This by default doesn't allow anyone to login except from users from the system group `ssh`. It immediate drops the connection instead of sending a response. The system `tunnel` user needs to set `PermitTTY no` so no shell is possible, only TCP forwarding.
```
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 0
ChallengeResponseAuthentication no
Match Group ssh
MaxAuthTries 3 # Only key-based may be tried
Match User tunnel
MaxAuthTries 1 # Only key-based may be tried
GatewayPorts yes
AllowTcpForwarding yes
PermitTTY no
PasswordAuthentication no
```
### SSHFP verification
- Create SSHFP DNS records use `ssh-keygen -r` on the SSH jumphost server
- Configure (public) DNS server with those records
- Check if records are active with `dig SSHFP <hostname> +short` - Check if records are active with `dig SSHFP <hostname> +short`
## Browsing with chrome over the proxy ## Browsing with chrome over the proxy
@ -47,31 +18,12 @@ E.g:
## Detection ## Detection
It is highly likely this proxy will be detected by virus or malware scanners. This can be a false-positive see <https://go.dev/doc/faq#virus>. See <https://go.dev/doc/faq#virus>
Following detections have been tested: * Microsoft Defender: Trojan:Win32/Gracing.I - Severe
* Microsoft Defender: [Trojan](https://en.wikipedia.org/wiki/Trojan_horse_(computing)):Win32/Gracing.I - Severe. Probably fixed because of packing with UPX
* Palo Alto Networks, Inc. - Cortex [XDR](https://en.wikipedia.org/wiki/Extended_detection_and_response): detected as Suspicious (no fix yet)
## Build time dependencies ## Related blog posts
## macOS * https://blog.projectdiscovery.io/proxify-portable-cli-based-proxy/
* https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/
* go
* upx
* goreleaser
* mingw-w64 (for building the windows dll)
## Related information
* <https://www.yourcts.com/2024/01/19/beware-of-new-go-based-malware/>
* <https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6>
* <https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8>
* <https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/>
## Development information
* <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
* <https://github.com/weak1337/Alcatraz>

8
docs/release-management.md
View File

@ -1,8 +0,0 @@
# release management with github actions
* Generate `resources/ssh_private_key` with `make resources/ssh_private_key`
* Base64 encode `resources/ssh_private_key` with base64
## See also
* <https://github.com/marketplace/actions/secret-to-file>

5
main.py
View File

@ -1,5 +0,0 @@
import ctypes
lib = ctypes.cdll.LoadLibrary('library.dll')
main = library.executeMain
main()

13
main_dll.go
View File

@ -1,13 +0,0 @@
//go:build dll
// +build dll
package main
import (
"C"
)
//export executeMain
func executeMain() {
main()
}