Merge pull request #20 from shadowy-pycoder/ndpspoof

added basic logic to handle ndp spoofing

Author: shadowy-pycoder

.gitignore

@@ -32,4 +32,5 @@ models/**/*
 *.model
 *.vocab
 *.yaml
+rules.sh
 

README.md

@@ -25,6 +25,7 @@
   - [UDP support](#udp-support)
   - [Android support](#android-support)
   - [IPv6 support](#ipv6-support)
+  - [NDP spoofing](#ndp-spoofing)
 - [Traffic sniffing](#traffic-sniffing)
   - [JSON format](#json-format)
   - [Colored format](#colored-format)
@@ -75,6 +76,9 @@ Specify http server in proxy configuration of Postman
 - **ARP spoofing**\
   Proxy entire subnets with ARP spoofing approach
 
+- **NDP spoofing**\
+  Proxy IPv6 connections using Router/Neighbor Advertisement and RDNSS injections.
+
 - **DNS Leak Protection**\
   DNS resolution occurs on SOCKS5 server side.
 
@@ -108,7 +112,7 @@ You can download the binary for your platform from [Releases](https://github.com
 Example:
 
 ```shell
-GOHPTS_RELEASE=v1.12.0; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$GOHPTS_RELEASE/gohpts-$GOHPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$GOHPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
+GOHPTS_RELEASE=v1.12.1; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$GOHPTS_RELEASE/gohpts-$GOHPTS_RELEASE-linux-amd64.tar.gz -O gohpts && tar xvzf gohpts && mv -f gohpts-$GOHPTS_RELEASE-linux-amd64 gohpts && ./gohpts -h
 ```
 
 Alternatively, you can install it using `go install` command (requires Go [1.26](https://go.dev/doc/install) or later):
@@ -184,8 +188,10 @@ OPTIONS:
   -wu       Number of instances of transparent UDP proxy server (Default: number of CPU cores)
   -auto     Automatically setup iptables for transparent proxy (requires elevated privileges)
   -arpspoof Enable ARP spoof proxy for selected targets (Example: "targets 10.0.0.1,10.0.0.5-10,192.168.1.*,192.168.10.0/24;fullduplex false;debug true")
+  -ndpspoof Enable NDP spoof proxy for selected targets (Example: "ra true;na true;targets fe80::3a1c:7bff:fe22:91a4;fullduplex false;debug true")
   -mark     Set mark for each packet sent through transparent proxy (Default: redirect 0, tproxy 100)
   -P        Comma separated list of ports to ignore when proxying traffic (Example: "22,80,443,9092")
+  -dump     Dump iptables rules and other system settings generated by -auto flag
 ```
 
 ### Configuration via CLI flags
@@ -541,6 +547,8 @@ sudo bettercap -eval "net.probe on;net.recon on;set arp.spoof.fullduplex true;ar
 
 Check proxy logs for traffic from other devices from your LAN
 
+For more information about arpspoof options see `gohpts -h` and [https://github.com/shadowy-pycoder/arpspoof](https://github.com/shadowy-pycoder/arpspoof)
+
 ### UDP support
 
 [[Back]](#table-of-contents)
@@ -614,6 +622,63 @@ sudo ./gohpts -T 8888 -Tu 8889 -M tproxy -sniff -body -auto -d -6
 
 3. Visit any website on your virtual machine and see traffic in proxy logs
 
+### NDP spoofing
+
+[[Back]](#table-of-contents)
+
+`GoHPTS` has in-built functionality to perform NDP spoofing in IPv6 networks with Router Advertisement (RA) and Neighbor Advertisement (NA) packets. It also includes RDNSS option in RA packets to put host as a IPv6 nameserver for affected clients. When combined with transparent proxy mode (TCP/UDP), NDP spoofing allows `gohpts` to proxy traffic for clients in the local networks. As is the case with [ARP spoofing](#arp-spoofing), you can set ndp spoof options with single `-ndpspoof` flag:
+
+Example:
+
+```shell
+sudo env PATH=$PATH gohpts -d -T 8888 -M tproxy -sniff -body -auto -mark 100 -ndpspoof "ra true;na true;targets fe80::3a1c:7bff:fe22:91a4;fullduplex false;debug true"
+```
+
+For more information about ndpspoof options see `gohpts -h` and [https://github.com/shadowy-pycoder/ndpspoof](https://github.com/shadowy-pycoder/ndpspoof)
+
+Plese note that some options like `rdnss`, `gateway`, `interface` are set automatically by `gohpts` itself to properly function as a proxy.
+
+Since `gohpts` proxies all connections via upstream SOCKS5 server, you need to have a working server with IPv4/IPv6 and TCP/UDP support. Obviously, a remote machine (e.g. VPS) should also have IPv6 connectivity working. Needless to say, the machine on which `gohpts` is installed should be part of network with IPv6 support.
+
+Example setup for NDP spoofing to work correctly:
+
+1. Connect to VPS
+
+```shell
+ssh remote@203.0.113.10
+```
+
+2. Install dependencies
+
+```shell
+GO_VERSION=$(curl 'https://go.dev/VERSION?m=text' | head -n1)
+cd ~/Downloads/ && wget https://go.dev/dl/$GO_VERSION.linux-amd64.tar.gz
+sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf $GO_VERSION.linux-amd64.tar.gz
+```
+
+3. Setup SOCKS5 server (make sure firewall rules do not block used ports)
+
+```shell
+git clone https://github.com/wzshiming/socks5.git && cd socks5
+go build -o ./bin/socks5_server ./cmd/socks5/*.go
+./bin/socks5_server -a :3000
+```
+
+4. Go back to your host machine and install `gohpts` (see [Installation](#installation))
+
+5. Run `gohtps`:
+
+```shell
+sudo env PATH=$PATH gohpts -s 203.0.113.10:3000 -T 8888 -Tu 8889 -M tproxy -sniff -body -auto -mark 100 -arpspoof "fullduplex true;debug true" -ndpspoof "ra true;debug true
+" -6 -d
+```
+
+6. Get another device (phone, tablet, etc) and connect it to the same network. Try to access Internet and check if some traffic appears on your host machine. Check public IP address with some online tools (it should match your VPS address `203.0.113.10` in this case or global IPv6 address)
+
+7. Stop proxy by hitting Ctrl+C
+
+8. Profit!
+
 ## Traffic sniffing
 
 [[Back]](#table-of-contents)
@@ -800,6 +865,12 @@ Learn more about transparent proxies by visiting the following links:
 - [https://github.com/semigodking/redsocks](https://github.com/semigodking/redsocks)
 - [https://github.com/ginuerzh/gost](https://github.com/ginuerzh/gost)
 
+IPv4/IPv6 network security:
+
+- [https://caster0x00.com/legless/](https://caster0x00.com/legless/)
+- [https://caster0x00.com/intercept/](https://caster0x00.com/intercept/)
+- [https://www.prosec-networks.com/en/blog/ipv6-mitm/](https://www.prosec-networks.com/en/blog/ipv6-mitm/)
+
 ## Contributing
 
 [[Back]](#table-of-contents)

cmd/gohpts/cli.go

@@ -70,8 +70,10 @@ const usageTproxy string = `
   -wu       Number of instances of transparent UDP proxy server (Default: number of CPU cores)
   -auto     Automatically setup iptables for transparent proxy (requires elevated privileges)
   -arpspoof Enable ARP spoof proxy for selected targets (Example: "targets 10.0.0.1,10.0.0.5-10,192.168.1.*,192.168.10.0/24;fullduplex false;debug true")
+  -ndpspoof Enable NDP spoof proxy for selected targets (Example: "ra true;na true;targets fe80::3a1c:7bff:fe22:91a4;fullduplex false;debug true")
   -mark     Set mark for each packet sent through transparent proxy (Default: redirect 0, tproxy 100)
   -P        Comma separated list of ports to ignore when proxying traffic (Example: "22,80,443,9092")
+  -dump     Dump iptables rules and other system settings generated by -auto flag
 `
 
 func root(args []string) error {
@@ -152,12 +154,24 @@ func root(args []string) error {
 			"",
 			"Enable ARP spoof proxy for selected targets",
 		)
+		flags.StringVar(
+			&conf.NDPSpoof,
+			"ndpspoof",
+			"",
+			"Enable NDP spoof proxy for selected targets",
+		)
 		flags.StringVar(
 			&conf.IgnoredPorts,
 			"P",
 			"",
 			`Comma separated list of ports to ignore when proxying traffic (Example: "22,80,443,9092")`,
 		)
+		flags.BoolVar(
+			&conf.Dump,
+			"dump",
+			false,
+			"Dump iptables rules and other system settings generated by -auto flag",
+		)
 	}
 	flags.StringVar(&conf.LogFilePath, "logfile", "", "Log file path (Default: stdout)")
 	flags.BoolVar(&conf.Debug, "d", false, "Show logs in DEBUG mode")
@@ -226,6 +240,11 @@ func root(args []string) error {
 			return fmt.Errorf("-wu requires -Tu flag")
 		}
 	}
+	if seen["ndpspoof"] {
+		if !seen["6"] {
+			return fmt.Errorf("-ndpspoof requires -6 flag")
+		}
+	}
 	if seen["mark"] {
 		if !seen["t"] && !seen["T"] && !seen["Tu"] {
 			return fmt.Errorf("-mark requires -t, -T or -Tu flag")
@@ -236,6 +255,11 @@ func root(args []string) error {
 			return fmt.Errorf("-P requires -auto flag")
 		}
 	}
+	if seen["dump"] {
+		if !seen["auto"] {
+			return fmt.Errorf("-dump requires -auto flag")
+		}
+	}
 	if seen["f"] {
 		for _, da := range []string{"s", "u", "U", "c", "k", "l", "i"} {
 			if seen[da] {

colorize.go

@@ -18,7 +18,7 @@ import (
 
 var (
 	ipPortPattern = regexp.MustCompile(
-		`(?:\[(?:[0-9a-fA-F:.]+(?:%[a-zA-Z0-9_.-]+)?)\]|(?:\d{1,3}\.){3}\d{1,3})(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?`,
+		`(?:(?:\[(?:[0-9a-fA-F:.]+(?:%[a-zA-Z0-9_.-]+)?)\]|(?:\d{1,3}\.){3}\d{1,3})(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?|(?:[0-9a-fA-F:]+:+[0-9a-fA-F:]+(?:%[a-zA-Z0-9_.-]+)?))`,
 	)
 	domainPattern = regexp.MustCompile(
 		`\b(?:[a-zA-Z0-9-]{1,63}\.)+(?:com|net|org|io|co|uk|ru|de|edu|gov|info|biz|dev|app|ai|tv)(?::(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4}))?\b`,
@@ -30,7 +30,9 @@ var (
 	credsPattern = regexp.MustCompile(
 		`(?i)(?:"|')?(username|user|login|email|password|pass|pwd)(?:"|')?\s*[:=]\s*(?:"|')?([^\s"'&]+)`,
 	)
-	macPattern   = regexp.MustCompile(`(?i)([a-z0-9_]+_[0-9a-f]{2}(?::[0-9a-f]{2}){2}|(?:[0-9a-f]{2}[:-]){5}[0-9a-f]{2})`)
+	macPattern = regexp.MustCompile(
+		`(?i)(?:\b[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}\b|\b[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}\b|\b[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}\b|\b[a-z0-9_]+_[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}\b)`,
+	)
 	portsPattern = regexp.MustCompile(
 		`^\s*(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{0,4}|[1-9]\d{0,3})\s*(?:,\s*(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{0,4}|[1-9]\d{0,3})\s*)*$`,
 	)
@@ -53,6 +55,10 @@ var rColors = []func(string) *colors.Color{
 	colors.MagentaBg,
 	colors.RedBgDark,
 	colors.YellowBg,
+	colors.NewColor(215),
+	colors.NewColorBgDark(215),
+	colors.NewColor(138),
+	colors.NewColorBgDark(138),
 }
 
 func randColor() func(string) *colors.Color {
@@ -408,6 +414,9 @@ func colorizeLogMessage(line string, nocolor bool) string {
 		return line
 	}
 	result := ipPortPattern.ReplaceAllStringFunc(line, func(match string) string {
+		if macPattern.MatchString(match) {
+			return match
+		}
 		return colors.Gray(match).String()
 	})
 	result = domainPattern.ReplaceAllStringFunc(result, func(match string) string {
@@ -424,6 +433,9 @@ func colorizeErrMessage(line string, nocolor bool) string {
 		return line
 	}
 	result := ipPortPattern.ReplaceAllStringFunc(line, func(match string) string {
+		if macPattern.MatchString(match) {
+			return match
+		}
 		return colors.Red(match).String()
 	})
 	result = domainPattern.ReplaceAllStringFunc(result, func(match string) string {

go.mod

@@ -1,14 +1,15 @@
 module github.com/shadowy-pycoder/go-http-proxy-to-socks
 
-go 1.26.0
+go 1.26.1
 
 require (
 	github.com/goccy/go-yaml v1.18.0
 	github.com/google/uuid v1.6.0
 	github.com/rs/zerolog v1.34.0
-	github.com/shadowy-pycoder/arpspoof v0.0.1
-	github.com/shadowy-pycoder/colors v0.0.1
-	github.com/shadowy-pycoder/mshark v0.0.20
+	github.com/shadowy-pycoder/arpspoof v0.0.2
+	github.com/shadowy-pycoder/colors v0.0.2
+	github.com/shadowy-pycoder/mshark v0.0.21
+	github.com/shadowy-pycoder/ndpspoof v0.0.1
 	github.com/wzshiming/socks5 v0.5.2
 	golang.org/x/sys v0.33.0
 	golang.org/x/term v0.32.0

go.sum

@@ -32,12 +32,14 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/shadowy-pycoder/arpspoof v0.0.1 h1:K5D+cVGc3SCTI4VxSB6oE2x8SJgxRjE72E8Payk2jJA=
-github.com/shadowy-pycoder/arpspoof v0.0.1/go.mod h1:dsVZh4gbbQFA4BQLEmL2qpsjtytKwxaf4oA2tRmvCW8=
-github.com/shadowy-pycoder/colors v0.0.1 h1:weCj/YIOupqy4BSP8KuVzr20fC+cuAv/tArz7bhhkP4=
-github.com/shadowy-pycoder/colors v0.0.1/go.mod h1:lkrJS1PY2oVigNLTT6pkbF7B/v0YcU2LD5PZnss1Q4U=
-github.com/shadowy-pycoder/mshark v0.0.20 h1:xZTvrh3nFHIagPsv756P4gNEz1IOj3Fc4+fRc0feWhc=
-github.com/shadowy-pycoder/mshark v0.0.20/go.mod h1:1XgkjUmooSY3p9ygd0iInTrijsYbcKMQ7RXJLNP0Ygs=
+github.com/shadowy-pycoder/arpspoof v0.0.2 h1:9GMyAcn8fuzZfftWGLEDJBQB/NJbxXnV0EQewy0nOZM=
+github.com/shadowy-pycoder/arpspoof v0.0.2/go.mod h1:TP2JF4acJTXC6MJ0mjCkR6NB1L2ov/hJQF5s5TCbiFk=
+github.com/shadowy-pycoder/colors v0.0.2 h1:l4zvGOTPS92oxPIo6g+6t8tbzhh/v+6yT5A/3TQp8rc=
+github.com/shadowy-pycoder/colors v0.0.2/go.mod h1:lkrJS1PY2oVigNLTT6pkbF7B/v0YcU2LD5PZnss1Q4U=
+github.com/shadowy-pycoder/mshark v0.0.21 h1:kRp8uk2NuQnL0ypzD/EjjK9Gq2fNSTzn2U0PJYOKNiU=
+github.com/shadowy-pycoder/mshark v0.0.21/go.mod h1:uH8wnzPH5VTeKRvCFpvMvnJmjSYY4L6RRgM1V5AnF5A=
+github.com/shadowy-pycoder/ndpspoof v0.0.1 h1:Q8gXDiBtzL09HEL0Do+Wc3fWrWw13Ld9xKllhsI3vpQ=
+github.com/shadowy-pycoder/ndpspoof v0.0.1/go.mod h1:f9nXuIck5oHR4Cm8z2Ry6NjEEsQBBKhZrLYDcHmU4HU=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/wzshiming/socks5 v0.5.2 h1:LtoowVNwAmkIQSkP1r1Wg435xUmC+tfRxorNW30KtnM=