2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
WebsocketProtocol proxy tunneling to encrypt trafficIntroduction
In attack and defense scenarios, the Websocket protocol is often used to build proxy tunnels. Attackers attempt to bypass network restrictions through the Websocket protocol and build a low-latency, two-way real-time data transmission tunnel.Currently, the mainstream tools that support Websocket communication agents include: FRP, wsp, wstunnel, and TurboTunnel.
Take the wstunnel tool as an example. When wstunnel uses the Websocket protocol to build a tunnel proxy for related traffic, the client uses the HTTP Upgrade mechanism to complete the handshake phase of the protocol. After the handshake is completed, the client and server use the data format of the Websocket protocol for full-duplex communication. Both the server and the client can actively send messages without waiting for the other party to send a message first. In this way, Wstunnel can build a high-performance, low-latency Websocket tunnel.
Websocket After the handshake is completed, data is transmitted in data frames. The Websocket tunnel traffic of wstunnel is shown in the following figure:
There is a flag bit in the Websocket protocol: Mask, which is used to indicate whether mask encryption is enabled for the data. When this bit is 1, it indicates that mask encryption is used, and the 4 bytes after the payload length are the decryption key. Mask encryption in Websocket uses XOR for simple encryption. When the corresponding bit of the MASK field is set to 1, it indicates encryption, and then a 4-byte Masking-key will be set. When the Mask bit is set to 0, it indicates no encryption, and the Masking-key will not be carried. The current standard Websocket stipulates that the client must use mask encryption to send data, while the server does not use mask encryption to send data.
The following figure shows the traffic after another wsp tool enables MASK encryption:
In addition, Websocket supports the WSS attribute, namely Websocket Secure, and the transmission format is "wss://". This communication encapsulates the Websocket data through the TLS encryption protocol, so that the data seen on the outermost layer is the TLS protocol communication, and the transmitted data is more concealed, as shown in the figure:
In addition to wstunnel and wsp, there are other tools that also support Websocket tunneling:
The encryption of the payloads of the above four tools is as follows:
The above introduces the Websocket communication traffic characteristics of several commonly used tools. Guanchengkanyun-Encrypted Threat Intelligent Detection System can effectively detect the traffic of these tools using Websocket encrypted communication:
In attack and defense drills and other scenarios, Websocket protocol tunnels have the characteristics of low latency, two-way real-time high performance, and strong encryption capabilities, which facilitates the avoidance of traffic device audits, so this type of tool has gradually become popular. Guancheng Technology's security team studied the structural characteristics of the Websocket protocol itself and combined it with the corresponding tool traffic to propose an effective detection method for application in the product. It can accurately detect anomalies in Websocket traffic, find traces of the construction and use of related tunnels, and ensure the security of customer networks. We will continue to track and study such tunnel tools and continuously improve the detection capabilities of our products.
I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.
