UDP programming penetrating SOCKS5 agent

zhaozj2021-02-08  220

In the network programming, everyone will choose UDP as a data transfer protocol for data transfer protocols, and less network system resources needed by TCP protocols in TCP protocols. However, in enterprise applications, due to network security causes, it can cause IP data other than specific ports that cannot pass dedicated routes or gateways. In order to support such applications, a SOCKS4 / SOCSK5 protocol that supports SOCKS connection is developed. The SOCKS protocol allows for a proxy software that implements such functions, allows customers within the firewall (the name of the firewall and agent, etc.), etc., can be used to achieve external access through the firewall, and can even wait for external connections. For software clients inside the firewall, only with firewall negotiation, contact with the firewall, then exchange data, and the exterior of the firewall is also directly exchanged with the firewall, and the outside of the firewall can not see the internal network situation of the firewall, which In the firewall's monitoring, most of the applications that mostly exchange data are exchanged in direct exchange data, such as HTTP FTP, etc.). The application inside the firewall how to transfer UDP data to the firewall outside through the firewall, and accept the external UDP data packet, which is the so-called UDP programming of the SOCKS agent.

RFC1928 describes the details of the SOCKS protocol, telling us how the client can negotiate with the SOCKS agent, and obtain the way to transmit through the protocol. English's URL is: http://www.ietf.org/rfc/rfc1928.txt, Chinese translation reference is not very pleasing (but the translator is still dedicated), but for E text is not good, it will be: Http://www.china-pub.com/computers/emook/0541/info.htm. It is recommended to read the following links after reading the following.

The general proxy software implements two versions of SOCKS protocols-Socks4 and SOCKS5, where the SOCKS5 protocol supports the transfer of UDP packets and a variety of verification methods, which also consider IP development needs, support IPv6. TCP supports two methods by agents: BIND and Connection. Connection refers to a service program that actively connects to the proxy external, in which the agent will replace the client to initiate a real connection to the external service program, and transfers the data that needs to be exchanged in this connection; bind mode In those protocols that require clients to receive server connections, such as the FTP protocol, in addition to the need to create a client-server connection report state, you need to create a server-customer connection to transmit actual data (of course Note that the FTP protocol here is connected to the remote host through the SOCKS protocol, not through the FTP proxy protocol). UDP packet transmission means that the agent acts as an intermediarron with UDP data transmission, passes the host's data outside the firewall, and will need to introduce UDP data packets in the firewall to the firewall specific host. There are many discussions and examples of TCP penetration (given an example: http://www.codeproject.com/internet/casyncproxysocket.asp), there are not many talks, focusing on how to implement UDP data Perspective of SOCKS5 agent.

For testing, I simply wrote a service process to listen to the UDP8100 port on the agent IP of 192.168.0.0.250. After receiving a UDP datagna, return the current time on the server to send UDP packets. . The agent uses Wingate, where he runs on 192.168.0.1, and SOCKS standard port 1080 runs the service listener. My machine is 192.168.0.10, you can see, I can't contact the running time service machine, I will put forward my request to the agent, and the proxy process is responsible for the forwarding of UDP data packets. The agent software selection WINGATE, and for the sake of simplicity, it is not necessary to verify the customer's verification method. Ok, after the background, let's start cross the agent's journey. Whether it is TCP or UDP through the agent, first get in touch with the agent. In order to ensure that data transmission is successfully ensured in the first stage, the protocol specifies that the client uses TCP mode to connect the contact proxy server. Once the client is connected to the agent's 1080 port connection, the customer first wants to send a version identity / method selected TCP packet to the proxy server, the specific format is:

Version number (1 byte) | Alternative authentication method (1 byte) | Method sequence (1-255 byte length) If it is a SOCKS4 protocol, version number is 0x04, but here is SOCKS5 that supports UDP, so It is byte 0x05. This explanation is also applicable to the version of the subsequent message format. The SOCKS protocol defines 0-255 kinds of authentication methods through the agent: 0x00 No Validation Demand 0x01 Universal Security Service Application Interface (GSSAPI) 0x02 User Name / Password (UserName / Password) 0x03 to X'7f 'IANA Assignment (IANA Assigned) 0x80 to X'FE 'Private Method Retention (No Acceptable Methods) Obviously, whether the client initiated SOCKS request is also responsible for forwarding SOCKS data, it is impossible to fully implement all ( There is still no way to at least), so the client needs to list the methods you can support for the proxy server selection. If supported without verification, the byte sequence of this message is: 0x05 0x01 0x00, where 0x01 indicates that the client only supports a verification, and the 0x00 represents the method that can support (no verification) of (no verification) of 0x00. If the client also supports the username / password verification method, then the message should be: 0x05 0x02 0x00 0x02. If the agent receives the customer's request, it will return to the customer's implementation to tell which method is verified which method is used. The return format is: version number | Server Selected method If the server only supports no verification method, it returns Byte sequence: 0x05 0x00. The response from the client's data packet is the answer to the SOCKS protocol. The next step is based on the choice method, verifying the customer identity. Although we don't need to verify here, it is still simple to talk about the 0x02 username / password verification client Send a packet format: 0x01 | User name length (1 byte) | User name (length according to user name length domain) | Password Length (1 byte) | Password (length is specified by password length) Unclear why the packet's first byte is 0x01 (according to the convention). The entire message length is determined according to the actual length of the username and password. The username and password do not need to end with '/ 0'. The server will verify according to the information provided, returning the following newspaper sequence image as: 0x01 | Verification result flag verification result flag can be: 0x00 authentication, the rest indicate that there is a fault, and cannot continue the next protocol step. After passing the verification step, the next step is to determine the port of UDP transmission. This requires two important ports: 1. The client sends the native port of the UDP data. On the one hand, it can tell the agent for the sending data, on the other hand, if there is data returns, it is passed to the port, which constitutes one UDP transmission loop. 2, the agent wants to receive the UDP datagram sent by the client, as an application part of the external UDP Socket, after the two parties negotiate, can continuously send data to the external host through this port, or by this port by the proxy receiving outside The UDP data sent back by the host, and then send the UDP Send Request Client by this port.

The client will send a TCP data byte sequence according to the following format: Protocol version | SOCKS command | Reserve byte | Address Type | Specific address | Specific port SOCKS command has 3: Connect (No. 0x01) Bind (0x02) UDP (No. 0x03 Reserved byte length 1, three types of 0x00 address type: 0x01 This address is an IPv4 address, 4 8bit bytes long. 0x03 This address contains a complete domain name. The first 8bit byte contains the number of 8bits of the back name, no aborted '/ 0'. 0x04 This address is an IPv6 address, a length of 16 8bit bytes. Specific address is generally meaningful for multi-IP host, if not or if not cared about which IP initiates UDP data transfer, you can fill in 0.0.0.0, address type Select 0x01. What is important is to initiate which UDP port will be initiated from the UDP transfer. In order to avoid causing a conflict due to hard specifying a port, a UDP socket is first generated, using the generated socket to serve as the port of UDP, and inform the proxy server through this step. For example, a UDP socket is temporarily generated, the UDP selection port 2233 is used as a local port of the UDP data, then this message is: 0x05 0x03 0x00 0x00 0x00 0x00 0x00 0x08 0x00 0x00 0x00 0x08 0x08 0xB9 converted to 10) is 2233. The proxy server will give a reply byte sequence for the port of the proxy server according to their port, telling customers that UDP data can be sent to this address and port to implement UDP penetration agents. Returned byte sequence as: version | Agent answer | Retain 1 byte | Address Type | Proxy server address | Binding agent port agent response can be value: 0x00 Successful negotiation 0x01 Common SOCKS fault 0x02 is not allowed to connect 0x03 Network not arrived at 0x04 host not reachand 0x05 connection Reset 0x06 TTL failure 0x07 command does not support 0x08 address type does not support 0x09 until 0xff All reserved Agent Address Refers to the client needs to send it to that IP, bind port refers to the agent Which port receives data and forwards it. Address type, address reference is explained above. After several steps of the above TCP negotiation, the client is now clearly approved by the UDP data that you will need to send to an IP of the proxy server. The proxy server also knows which IP sends data to be reported to yourself. If it receives the data report returned from the remote target host due to the forwarding this UDP datagram, he needs to return the data report received to the customer based on the agreement. port. This particular port is that when the proxy port bound in the byte sequence is transmitted in the byte sequence, the UDP data is transmitted, so it is necessary to pack in a certain format, and a header is added before the data is required, specifically: retain 2 Byte 0 | Whether Data Report Segment Recombination Flags | Address Types | Outside the Agent Target Address | Dow Target Host Port | Need to transfer the data from the agent to send the data report segment restructuring flag is 0 Data packets are independent unwanted recombination, other representation of a specific serial number to facilitate UDP packet integration. The address here is the server address that eventually receives the agent of this UDP data, and in this example is 192.168.0.250. The port is 8100. Depending on the type of address, the data starting position that needs to be transmitted is different. If it is IPv4, then the data starts from the 10-byte of the entire UDP message. If the domain name is specified, then starting from 262, the IPv6 address type starts from 20 to the data field. These need to pay attention to when we actually transfer data.

If you want to transmit 10-byte data 9 to 96.96.96.96 1024 port, then the transferred data byte sequence is approximate: 00 00 01 60 60 60 60 04 00 09 09 09 ...... .09 Reserved whether or not segment recombination IPv4 96.96.96.96 Target Host IP Port 1024 starts from this to data from this, if the remote target host has data returns, the proxy server also makes the data similar to the above package when the data is transmitted back to the UDP client, namely Add a header. Customers need to receive this header, but also specifically notify the UDP client, which server is sent back. Let's take a look at the code given: See attachment project. I will support SOCKS5 UDP to write into a Java class for your reference. Related explanations see the comment section. Through the above analysis, we can generally summarize those who need to pay attention to the UDP programming through SOCKS5: 1. SOCKS5 programming authentication Because the firewall effect is almost abnormal connection inside and outside, and Socket can connect to the outside through any port. So as an improvement to Socket4, Socket5 adds the verification function accessed to the Socket protocol. These verification functions do not specify what method, generally see the firewall itself support and how the client can support, which means that the approach to the client must tell the agent server at the beginning of the negotiation phase, and the proxy server Which authentication method has been implemented to select a specific method to reply the client. It means that different proxy servers and different clients are likely to be different for verification methods, and they need to be determined depending on the specific application environment. These increase the difficulty of Socket5 clients and Proxy Server software, but enhanced security. 2, TCP maintains importance to send penetration proxy server UDP datagram, in fact, the client needs to establish a TCP connection to the proxy server, through a series of interactions, obtain the proxy server license to send out (simultaneous proxy server industry Record the client IP and port connected in the SOCKS service service, ensuring that the data sent back from the distal end can be inspired to return to a UDP client through the proxy service (because it registers a path map of the socket UDP). So in order to send UDP data, this TCP data must be established and maintained. RFC1928 also mentioned that the TCP connection is turned off after the channel of the proxy server cannot be obtained. Otherwise, the proxy server is that the UDP Socket has passed through the proxy request, and does not need to continue to retain the UDP's external SOCKET mapping record, resulting in re-sending a UDP once Establish a TCP connection negotiation UDP mapping, increasing unnecessary trouble. So, we need to keep the UDP client to the TCP connection of the proxy server, without having to close it. 3, the UDP local port selected UDP most is related to the specific port, so be sure to inform the client UDP port when negotiated with the proxy server. Let's bind the UDP to a port so that the proxy server receives UDP data and forwards, and I also tell the proxy server that the feedback data obtained after a port will be sent back to the customer according to the line. This port is returned to the customer. This is important, and the author has made mistakes, which causes a lot of time. 4, TCP / UDP connection Duality can see that the use of SOCKS5 will take up at least one TCP connection, which causes the burden on the proxy server. Therefore, in a specific application, it is necessary to consider the load problem with the existence of the proxy server.

The above is a little about UDP penetrating the SOCKS5 agent, I hope to get the correctness. TNT

转载请注明原文地址:https://www.9cbs.com/read-3091.html

New Post(0)