How the Shiliew GUI works

https://talks.txthinking.com
Created at: 28 Apr 2022
Updated at: 01 May 2022
cloud@txthinking.com

Table of Contents

Shiliew

https://shiliew.com

GUI: macOS GUI proxy mode, Windows GUI proxy mode

You can see the proxy mode in Proxy & Tun in the left menu of the graphical client. In this mode, it will ignore: Bypass CIDR4 list, Bypass CIDR6 list, DNS Server, Fake DNS, Block list, Block configuration items.

In this mode, will create:

Rule

Data Flow

GUI: macOS tun mode, Windows tun mode, iOS, Android

Rule

can be specified

Data Flow

Configure System DNS

Shiliew client will automatically choose to configure the system v4 DNS or v6 DNS according to the current network IPv4/IPv6 situation and server IPv4/IPv6.

Block block ads

Under normal circumstances, the block domain name list is used to block advertisements, and the second situation is for you to discover.

When Fake DNS is off

We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.

  1. An application wants to initiate a network request
  2. The first is DNS query IP of domain name

  3. The IP of the domain name has been queried, and is ready to initiate a network request to this target IP

When Fake DNS is on

We know that a network request generally first queries the domain name to get the IP, and then initiates a request to the IP.

  1. An application wants to initiate a network request
  2. The first is query the IP of the domain name

  3. The IP of the domain name has been queried, and is ready to initiate a network request to this target IP

Why and How to Turn Off System and Browser Secure DNS

At present, the Android system has built-in Private DNS (DoT), and the desktop and mobile versions of Chrome provide built-in Secure DNS (DoH). This is ideal for the full-scale Anycast network world and the DNS query of ordinary users without proxy can be encrypted in the intermediate network. But Reality is not ideal.

Suppose a domain name provides different IPs for multiple regions, and the final resolved IP depends on:

  1. DNS Server
  2. The network that initiated the DNS query

When DoT or DoH is turned on, the query content cannot be intercepted to achieve the effect of using different DNS resolutions for different domain names, and FakeDNS cannot be used to resolve domain names on the server side to avoid one more network request.

So we're going to close it:

Will closing it reduce security?

You can enable FakeDNS or configure DoH in Shiliew GUI.

MITM

Note: This feature requires programming skills and will run your script to intercept and modify HTTP and HTTPS. At the same time, if the writing is complex, it may take up more resources and performance.

ROOT CA

https://txthinking.github.io/ca/ca.pem

To perform MITM

macOS

MITM requires tun mode

nami install mad ca.txthinking
sudo mad install --ca ~/.nami/bin/ca.pem

Windows

MITM requires tun mode

nami install mad ca.txthinking

Open GitBash as administrator

mad install --ca ~/.nami/bin/ca.pem

iOS

https://www.youtube.com/watch?v=uctNsfl3lio

Android

Android has system CA and user CA, which must be installed into the system CA after ROOT

Rule

One protocol and address per line

Example

http://ipip.ooo:80
https://ipip.ooo:443

Suffix matches mode: ipip.ooo:80, xxx.ipip.ooo:80, xxx.xxx.ipip.ooo:80 ..., ipip.ooo:443, xxx.ipip.ooo:443, xxx.xxx.ipip.ooo:443 ...

https://txthinking.github.io/bypass/mitm.txt

Script

request

request Represents an HTTP Request, which is a map

{
	"Method": "GET", // string, request method
	"URL": "https://ipip.ooo/", // string, request url
	"Body": bytes, // bytes, request body
	"...": "...",
	"User-Agent": "...", // string, all other keys are request header
	"...": "..."
}

response

response Represents an HTTP Rsponse, which is a map

{
	"StatusCode": 200, // int, response status code
	"Body": bytes, // bytes, request body
	"...": "...",
	"Server": "txthinking", // string, all other keys are response header
	"...": "..."
}

How it works

  1. Shiliew first matches the rule address, and then prepares data according to the protocol corresponding to the address in the rule
  2. Shiliew passes request to the script, and response is now undefined. The script can choose:
  3. Shiliew sends the request returned by the script to the server
  4. Shiliew gets the response from the server
  5. Shiliew passes response to the script, request is now the request of the step 1 returned, the script must: modify or not modify response and return response

MITM with Body

If off

If on

Example

text := import("text")
_ := (func(request, response) {

    // Begin
    if(!response){
        if(text.has_prefix(request["URL"], "http://ipip.ooo")){
            return {
                "StatusCode": 301,
                "Location": text.replace(request["URL"], "http://", "https://", 1)
            }
        }
        if(text.has_prefix(request["URL"], "https://ipip.ooo")){
            request["User-Agent"] = "curl/7.79.1"
            return request
        }
        return request
    }
    return response
    // End

})(request, response)

Debugging

You can use mitmproxy helper and Wireshark Helper to capture packets to determine what to modify. The difference of mobile phone packet capture software

You can use tun2brook to debug the script, so you can print data inside the script

Log

macOS and Windows need to enable tun mode

It is recommended to enable it only when necessary. Prevent the log file from being too large.

Apple push problem

To use Apple Push Notification Service (APNs), your macOS, iOS, tvOS, and watchOS devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.

https://support.apple.com/en-us/HT210060

https://support.apple.com/en-us/HT210060

Domain

apple.com
icloud.com
cdn-apple.com
mzstatic.com
entrust.net
digicert.com
verisign.net

CIDR4

17.0.0.0/8
103.81.148.0/22
103.81.148.0/24
103.81.149.0/24

CIDR6

2620:149:a44::/48
2403:300:a42::/48
2403:300:a51::/48
2a01:b740:a42::/48

Windows IPv6 tun mode

If your Windows supports IPv6. If something wrong, turn off IPv6 networking. reboot

Resources