How the Brook and Shiliew GUI works

https://www.txthinking.com/talks/
Created at: 15 Nov 2021
Updated at: 12 Dec 2022
cloud@txthinking.com

Table of Contents

Brook

https://github.com/txthinking/brook

Shiliew

https://www.txthinking.com/shiliew.html

macOS graphical client proxy mode, Windows graphical client proxy mode

You can see the proxy mode in Proxy & Tun in the left menu of the graphical client. In this mode, it will ignore: Bypass IP, DNS, Fake DNS, Block list, Block configuration items.

In this mode, will create:

rule

Data flow

macOS graphical client tun mode, Windows graphical client tun mode, iOS graphical client, Android graphical client

rule

can be specified

Data flow

Configure system DNS

Brook client will automatically choose to configure system v4 DNS or v6 DNS according to the current network IPv4/IPv6 situation and server IPv4/IPv6.

When Fake DNS is disabled

We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.

  1. An application is ready to initiate a network request
  2. The first is the IP of the DNS query domain name

  3. The IP of the domain name has been queried, ready to initiate a network request to this target IP

Fake DNS when enabled

We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.

  1. An application is ready to initiate a network request
  2. The first is the IP of the DNS query domain name

  3. The IP of the domain name has been queried, ready to initiate a network request to this target IP

Brook graphics client import server list

Why and how to turn off system and browser secure DNS

At present, the Android system has built-in Private DNS (DoT), and the desktop and mobile versions of Chrome provide built-in Secure DNS (DoH). This is ideal for the full-scale Anycast network world and the DNS query of ordinary users without a proxy can be encrypted in the intermediate network. But Reality is not ideal.

Suppose a domain name provides different IPs for multiple regions, and the final resolved IP depends on:

  1. DNS Server used
  2. The network that initiates the DNS query

When DoT or DoH is turned on, the query content cannot be intercepted to achieve the effect of using different DNS resolutions for different domain names, and FakeDNS cannot be used to resolve domain names on the server side to avoid one more network request.

So we're going to close it:

Will closing it reduce security?

No. You can enable FakeDNS or configure DoH in the Brook GUI.

MITM

Note: This feature requires programming skills and will run your script to intercept and modify HTTP and HTTPS. At the same time, if it is complicated to write, it may take up more resources and performance.

ROOT CA

https://txthinking.github.io/ca/ca.pem

Require

macOS

MITM requires tun mode

nami install mad ca.txthinking
sudo mad install --ca ~/.nami/bin/ca.pem

Windows

MITM requires tun mode

nami install mad ca.txthinking

Open GitBash as administrator

mad install --ca ~/.nami/bin/ca.pem

iOS

https://www.youtube.com/watch?v=HSGPC2vpDGk

Android

Android subsystem CA and user CA must be installed into the system CA after rooting

rule

One protocol and address per line

Example

http://http3.ooo:80
https://http3.ooo:443
https://4.http3.ooo:443
https://6.http3.ooo:443

https://txthinking.github.io/bypass/mitm.txt

script

request

request represents an HTTP Request, which is a map

{
	"Method": "GET", // string, request method
	"URL": "https://http3.ooo/", // string, request url
	"Body": bytes, // bytes, request body
	"...": "...",
	"User-Agent": "...", // string, all other keys are request header
	"...": "..."
}

response

response represents an HTTP Response, which is a map

{
	"StatusCode": 200, // int, response status code
	"Body": bytes, // bytes, request body
	"...": "...",
	"Server": "txthinking", // string, all other keys are response header
	"...": "..."
}

process

  1. Brook matches the rule address first, and then prepares data according to the protocol corresponding to the address in the rule
  2. Brook passes request to the script, response is now undefined. The script can choose:
  3. Brook sends the request returned by the script to the server
  4. Brook gets the response from the destination
  5. Brook passes response to the script, request is now the request of the first return, the script must: modify or not modify response and return response

MITM with Body

If not turned on

If enabled. Will consume more memory

Example

text := import("text")

_ := (func(request, response) {

    // Begin

    if(!response){
        if(text.has_prefix(request["URL"], "http://http3.ooo")){
            return {
                "StatusCode": 301,
                "Location": text.replace(request["URL"], "http://", "https://", 1)
            }
        }
        if(text.has_prefix(request["URL"], "https://http3.ooo")){
            request["User-Agent"] = "curl/7.79.1"
            return request
        }
        return request
    }
    if(text.has_prefix(request["URL"], "https://6.http3.ooo")){
        response["Body"] = bytes("You hacked me :)")
        return response
    }
    return response
    // End

})(request, response)

https://txthinking.github.io/bypass/mitm.tengo

Debug

You can use App Privacy Report mitmproxy helper and Wireshark Helper capture packets to determine what to modify. The principle difference of mobile phone packet capture software

Use tun2brook to debug the script so you can print data inside the script

Log

macOS and Windows need to enable tun mode

It is recommended to enable it only when necessary. Prevent the log file from being too large.

Apple push issues

To receive pushes, Apple Server only allows Ethernet, cellular data, Wi-Fi connections. So you need to Bypass the relevant domain name and IP:

https://support.apple.com/en-us/HT210060

https://support.apple.com/en-us/HT210060

Domain

apple.com
icloud.com
cdn-apple.com
mzstatic.com
entrust.net
digicert.com
verisign.net
apple

CIDR4

17.0.0.0/8
103.81.148.0/22
103.81.148.0/24
103.81.149.0/24

CIDR6

2620:149:a44::/48
2403:300:a42::/48
2403:300:a51::/48
2a01:b740:a42::/48

Other resources