Ask Your Question
0

How to decode the first UDP datagram from UDP over socks5 interaction?

asked 2024-03-01 17:36:31 +0000

greggyNapalm gravatar image

Hi! I'm investigating the compatibility of opensource proxy client and one of the servers impelmentation. TCP part deconding works good, I see all neede info. But due to UDP over socks5 semantic in one moment client switch to UDP and send datagram to previously gathered addr. I found definition of this datagram in RFC but wireshark showing it as bytes. https://datatracker.ietf.org/doc/html...

It might be that some body allready has written the decessor and I just don't know how to find and apply it. If not, Am I right that I need to write decessor using lua or C(I never did it before)?

edit retag flag offensive close merge delete

Comments

Do you have a capture file you can share?

Chuckc gravatar imageChuckc ( 2024-03-01 17:49:13 +0000 )edit

Here is the pcap file https://api.datascrape.tech/static/ud... . I don't have enough point to attach content. There is PROXY AUTH data inside, but don't mind I've changed it already.

I want to decode packet #16: UDP 192.168.50.38:62497 -> 23.109.13.244:5000

greggyNapalm gravatar imagegreggyNapalm ( 2024-03-02 08:41:33 +0000 )edit

Thanks! It gets added as a conversation. Nothing logged when Wireshark started with debug. Will need to dig in to verify whether its a bug or config issue.

Chuckc gravatar imageChuckc ( 2024-03-02 15:25:16 +0000 )edit

It's a bug - the UDP conversation is getting added using the source and destination addresses of frame 14 (which has the reply), but it needs to use the source and destination addresses contained within the command (stored in the hash_info) It also might need to create the conversation with NO_PORT2 since one of the ports given is 0. The processing in socks_udp_dissector also might need to do something special if hash_info->port == 0.

johnthacker gravatar imagejohnthacker ( 2024-03-02 16:58:03 +0000 )edit

So, Am I getting it right that I need to write this socks_udp_dissector myself and there is no available implementation?

greggyNapalm gravatar imagegreggyNapalm ( 2024-03-02 19:41:41 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2024-03-03 21:55:28 +0000

johnthacker gravatar image

Am I getting it right that I need to write this socks_udp_dissector myself and there is no available implementation?

No, there is an implementation. What is supposed to happen is when the Socks5 over TCP packets in frame 12 and 14 are decoded, they set up a conversation instructing Wireshark to use the socks_udp_dissector (which exists and works) to handle UDP datagrams from the indicated host and port. That isn't quite working, because it's not using the correct port. (The Socks messages indicate that the UDP will be on a different host and port, but it's using the existing host. Also it's not handling the wildcarded port (0) correctly.)

If that worked, then the socks_udp_dissector would dissect the packets and try to hand them off as though they came in from the forwarded port indicated in the Socks header, 443. That is the part that you would have to write if you wanted dissector - right now it's would be handed to the data dissector because it's just a string you put there.

You can't just assign port 5000 on UDP to the socks UDP dissector, because it depends on the conversation being set up from the standard socks over TCP dissector.

edit flag offensive delete link more
0

answered 2024-06-28 13:25:19 +0000

Chuckc gravatar image

Adding this as an answer since the "More comments" button is overlooked.

Timestamps don't match but these are related (future SOCKS5 searches here in Ask):
19669: socks (socks5): non-standard port (tcp.port) preference not working

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-03-01 17:36:31 +0000

Seen: 393 times

Last updated: Jun 28