hackerschoice / gsocket Goto Github PK

It would be nice to have gsocket available in the FreeBSD ports tree. This would involve a couple of things:

1. who would maintain the port?
2. we would need to have the port Makefile and metadata files created so that the port builds etc
3. we would need to contact ports folk to have it added

I have implemented (2) as a possible option, but I am not opposed to gutting it, if people wish. However, I wanted to offer up as an example. I have myself as the maintainer, but that was just a placeholder as depends on (1). They may be found: in github and are intended for /usr/ports/net/gsocket/

Some links to helpful documentation (also exposing some of the gaps in my example):

• See /usr/ports/Mk/ files as they will document a lot of the options available
• FreeBSD Handbook chapter on making a new port
• porters handbook chapter on making a port

reported by muplagama.

shows aarch64 but binary fails self-test.

reported by leonardo. Used to work. Check and fix.

user@test:~/gsocket/tools$ ./gs-sftp -l
Enter Secret (or press Enter to generate):
=Secret :"xxxW6e1r"
=Extra arguments: '-s xxxW6e1r'
=Secret : "xxxW6e1r"

Potential fix to start underlying gs-netcat with -q or -Q option to prevent startup message or use env variable??

I'm trying to run gsocket on an odroid via the docker image, but I encounter this error:

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested

Obviously the cpu architecture is wrong for the supplied image, can you advise if this can be supported?

on systems where there is no DNS make it so that GS_HOST is propagated all the way to the install/restart scripts...
(systemd, crontab, bashrc etc)

Using the "X" environment variable does not seem to work and this snippet below will generate a new secret every time it is run:

# Pre-set a secret:
#   $ X=MySecret bash -c "$(curl -fsSL gsocket.io/x)"

1. The user supplied secret is saved here:

   gsocket/deploy/deploy.sh

   Line 665 in e4d734a

   [[ -n "$X" ]] && GS_SECRET="$X"

2. Then it gets overwritten in the test_bin() function, here:

   gsocket/deploy/deploy.sh

   Line 574 in e4d734a

   GS_SECRET=$("$bin" -g 2>/dev/null)

works fine with netcat and other tools but ssh seems to have changed (or libc change?)

server: gsocket nc -vnlp 22
client: gsocket ssh [email protected]

ssh: Could not resolve hostname 127.3.13.3.7: nodename nor servname provided, or not known
Works fine on linux but not on OSX...

Works fine when compiling ssh from source:
./configure --prefix=$HOME/usr LDFLAGS="-L/usr/local/opt/openssl/lib" CPPFLAGS="-I/usr/local/opt/openssl/include"

add a less noticeable description to the gs-bd unit file

[Unit]
Description=D-Bus System Connection Bus

Seen once.

1. gs-bd started from systemd-services. Start a file transfer from elite console.
2. while transfer is running type exit in the shell above.
3. observe how gs-bd gets killed and not restart by systemd (??).

reported by user that 'sshd is not responding'.

Need to know more.

• uname -a
• netstat -antp

using Issue #8 as a model where applicable, it is desirable to add gsocket to the OpenBSD ports tree,
I will be adding to this issue as I research how to go about this...

@rksky any question. An Ununtu Server who roots all Traffic into an OpenVPN Connection. Any days he lost the connecten to dns. To fix them i will use an Script to Check with ping the Connection. If the Ping failed he will restart systemd-networkd service. This runs good. But gsocket will not reconnect. Andy idea to restart the deployed gsocket after service restart? I cannot reboot the Maschine any times.
(using deploy script)

Server shows disconnect and client does not reconnect.

This is a bug as the client is a UDP forward and should reconnect (via gsrn) when openvpn likes to send a new packet.
Also consider decrease keep-alive interval in OPENVPN for users.

root@vpn:/etc/openvpn# Tue Aug 3 10:03:58 2021 [ID=1] Disconnected after 2hrs 53min 40.747sec
Up: 11,820 [ 1.0B /s], Down: 173,968 [ 16.0B /s]

I noticed less and less hosts allow me to download binaries from github, I made an nginx server and copied the gs-binaries there:

then updated the env vars URL_BASE and URL_DEPLOY to use my http server, and since then I haven't had an install failure.

I believe as time goes by this problem will be more and more frequent, thc should consider running their own download server as github gets blacklisted.

Hi folks,

Sorry as this isn't really an "issue" but i would like to package gsocket. However I would like to avoid backporting patches like the 2 I have contributed that are kind of required before I could ship gsocket. I tried send a ping on twitter without success.

Would it be possible to get an early 2021 git tag released? 🐱

cheers

because it defaults to /dev/shm as DSTBIN directory and that is sometimes mounted NOEXEC.

Solution to be implemented:
[[ -n $HOME ]] && ... grep ^$(whoami) /etc/passwd | cut -d: -f6

seen once when gs-bd was not restarted by stystemd when it segfaulted. Investigate. It could be that gs-bd got a fatal-return form gsrn because another gs-bd was already connected using same secret from a different host.

The connection to the GSRN (port 443) could use TLS with a 'good' SNI such as google.com to get around outbound filters the filter on SNI.

hackerschoice/gsocket releases should contain release binaries.

Currently, all releases miss binaries and contain only sources. Binaries are stored in a different GitHub repository. And it is inconvenient and confusing.

GitHub provide release API: https://docs.github.com/en/rest/releases/releases#create-a-release

error : config.status: error: Something went wrong bootstrapping makefile fragments
for automatic dependency tracking. Try re-running configure with the
'--disable-dependency-tracking' option to at least be able to build
the package (albeit without support for automatic dependency tracking).

What a piece of shit. Doesnt check its own dependencies.

from 755 to 644. Oops. Keeps timestamp though...

The documentation of gsocket often mentions GSRN.

To me, this seems like the backbone of gsocket. However, the documentation doesn't provide information on what this service is, who manages it and why it can be hosted for free. A quick Google search also doesn't provide more info.

How can users know that gsocket is safe and not, for example, a honeypot?

if installed in systemd and AWS is sharing the / then AWS's autoscaling files up more instances with the same / and thus sharing the SECRET...because they are all unique hosts they all use different AUTH values and thus only 1 (the first) will listen on GSRN.

Possible solution is to use AUTH value and store auth value along in gs-bd.dat.

gs_so and gs_uchroot_so are not executables but in fact DSO libs. They should be distributed in the matching FHS directories like /usr/lib instead of putting them in the bin directory.

This would be welcoming for distro folks 🐱

Edit: I believe it would also make sense to move pure helper scripts as gs_funcs to the same place. Either the location can be probed or some of the scripts should be converted to .in files that autotools substitutes with configured libdir etc.

reported by darkmode, gsocket ssh works fine but gsocket scp does not?

Will gsocket work with openconnect (ocserv)?

....as otherwise user wont see the secret ever :>

Try not just port 7350 but have gsrn listen on 80, 443 etc as well and let gsocket try to connect to any of those as well.

either default to curl -k or have it as a fall-back (try https and if taht fails try http).

This is odd. It works fine when I compile openssh myself but not on the stock sshd binary on MacOS:

// gcc -Wall -o hijack.so -fPIC -shared hijack.c
// gcc -Wall -o bind bind.c
// DYLD_INSERT_LIBRARIES=${PWD}/hijack.so DYLD_FORCE_FLAT_NAMESPACE=1 ./bind
// => WORKS FINE
//
// cd ~/src/openssh-8.3p1
// ./configure --prefix=$HOME/usr LDFLAGS="-L/usr/local/opt/openssl/lib" CPPFLAGS="-I/usr/local/opt/openssl/include"
// make
// DYLD_INSERT_LIBRARIES=${PWD}/hijack.so DYLD_FORCE_FLAT_NAMESPACE=1 ${PWD}/sshd -f /etc/ssh/sshd_config -o HostKey=${PWD}/ssh_host_rsa_key -p 31338 -D -ddd
// => WORKS FINE
//
// cp /usr/sbin/sshd sshd
// DYLD_INSERT_LIBRARIES=${PWD}/hijack.so DYLD_FORCE_FLAT_NAMESPACE=1 ${PWD}/sshd -f /etc/ssh/sshd_config -o HostKey=${PWD}/ssh_host_rsa_key -p 31338 -D -ddd
// => DOES NOT WORK

#include <sys/wait.h>
#include <dlfcn.h>
#include <stdio.h>
#include <unistd.h>
#include <limits.h>
#include <stdlib.h>
#include <netdb.h>

int
bind(int socket, const struct sockaddr *addr, socklen_t addr_len)
{
fprintf(stderr, "WORKING [intercepted]\n");
exit(123);
return -1;
}

// FILE: bind.c
// #include <sys/socket.h>
// #include <unistd.h>

// int
// main()
// {
// bind(0, NULL, 0);
// return 0;
// }

see title

Have a flag in gs-netcat (client) to check if there is a listening server (without connecting to the server)
and perhaps even include a ping stat and auto-terminate after 60 seconds (or with a timeout flag).

thanks L.

Can be done as we already have an inband signaling protocol (pkt) and thus can submit command line to remote or indicate that
this is a non-tty cmd-exec shell. Will only work for versions >= 1.4.34 but without breaking backwards compatibility (can use protocol minor version indicator and flag to gsrnd to indicate command-exec shell).

Shall we use /bin/sh -c or $SHELL -c? Take a look at ssh and do it how they do it (i guess $SHELL as /bin/sh is for losers).

Have a -v flag that shows when gs-netcat has successfully connected to the gsrn.

Hi,

I just discovered this and it looks fantastic! Could you please document how the TCP nat traversal works? I was previously aware of UDP methods, but not TCP methods where both ends were behind NAT/firewall. It would be fantastic to understand how it works.

thanks!

Keep-alive shall be decreased as some systems seem to kill inactive connections after 60 seconds...

reported by iama****.

root@ubuntu:~# uname -a
Linux ubuntu 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~# cat /etc/issue
Ubuntu 20.04.5 LTS \n \l

1. gsocket was installed.
2. ssh user logs in
3. gs-netcat log in
4. elite console
5. Users(0) is shown

two changes requested by user:

1. GS_BASE_URL=.. to point to a custom url with binaries for deployments (https or http auto detect and use wget/curl with correct parameters)
2. a tar ball will all binaries included to deploy without the need fo wget/curl to any server...

If no filename is given to gsocket it will still start and error out trying to execute:

$ gsocket 
Enter Secret (or press Enter to generate): 
=Secret         :"7F8hq1FxBKtQzEZgeKsyGo"
=Encryption     : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)
/usr/local/bin/gsocket: line 139: exec: : not found

Nothing bad, just cosmetic issue.

Hey there,

I really think that gsocket is fantastic! However I was not able to configure it statically using the LDFLAG -static. It fails and says that no lipcrypto could be found. I am using Arch Linux with openssl installed(meaning that it includes the header files).

What am I missing? I couldn't find any documentation on compiling either. For example tor has flags specifying where to find openssl: --openssldir=/usr/local/openssl

Thanks in advance!

Should show old password of currently running?

see L’s messages.

apparently $HOME/.usr is not 31337 enough.

Provide binaries for instead of source code. It would be more straightforward to install in on a router.

I tried to compile the code on Turris OS (OpenWrt fork). Many needed packages are not available in default repositories. So I installed Debian on LXC machine on the router and compiled it there. Then I copied it back to the router.

Now the gsocket is missing a library libnsl.so.1, which seems to be part of RedHat distribution.

root@turris:~/software/gsocket# ./gsocket -s MySecret /usr/sbin/sshd -d
gsocket: =Encryption     : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)
Error loading shared library libnsl.so.1: No such file or directory (needed by /root/software/gsocket/gsocket_dso.so.0)

Do a dump-terminal right now but communicate via internal channel
that server has no PTY and set client's stty accordingly.

At the moment the work-around is to not use -i and use ctrl-z and stty raw -echo opost; fg instead.

There is a server i am connecting and i was connecting recently fine but suddenly there is no connection to the vps anymore.

It replies Fri Nov 12 08:54:53 2021 [ID=1] Connection refused (no server listening) (2)

and i used -w (for waiting and it also replies like )
Connecting to 213.202.239.83:7350...
GSRN connection established [213.202.239.83:7350].

but it doesn't connect back to me.
Any help please

gsocket starts sshd on server.

server: gsocket /usr/sbin/sshd

noticed gs-netcat consuming 100% cpu load on a 16-core system which was under heavy load. Select() call seems to track fd=3 but app never reads from it:

select(9, [0 3 5 7 8], [], NULL, {tv_sec=0, tv_usec=603003}) = 1 (in [3], left {tv_sec=0, tv_usec=603002})                                          
select(9, [0 3 5 7 8], [], NULL, {tv_sec=0, tv_usec=602988}) = 1 (in [3], left {tv_sec=0, tv_usec=602987})                                          
select(9, [0 3 5 7 8], [], NULL, {tv_sec=0, tv_usec=602972}) = 1 (in [3], left {tv_sec=0, tv_usec=602971})                                          
select(9, [0 3 5 7 8], [], NULL, {tv_sec=0, tv_usec=602956}) = 2 (in [3 7], left {tv_sec=0, tv_usec=602955})                                        
read(7, "\27\3\3\0T", 5)                = 5                                                                                                         
read(7, "\1\16z\334}\310sh\7k\241\324uE\22024\323;R\326_]\274\211\3375;O\326N\260"..., 84) = 84                                                     
write(8, "-\256\315-\371%\331\275\302\312\223\231\202\23o\237Z)K\350($\3663\221\330o\312\316M-\5"..., 36) = 36                                                                                                                                                                                           
select(9, [0 3 5 7 8], [], NULL, {tv_sec=0, tv_usec=602862}) = 2 (in [3 7], left {tv_sec=0, tv_usec=602861})                                        
read(7, "\27\3\3\0T", 5)                = 5                                                                                                         
read(7, "\21\314\317dX0\201B5G\21'\314\221\270\210\337\30\201B-C\210\32\24\213\322N\n\303\370\34"..., 84) = 84                                      
write(8, "\222\347>F\272Th?\353\31\303\211\264\364\30\360G2\254\272\337\342\364\242'\350\217izM`("..., 36) = 36                                     
select(9, [0 3 5 7 8], [], NULL, {tv_sec=0, tv_usec=602790}) = 3 (in [3 7 8], left {tv_sec=0, tv_usec=602789})                                      
read(7, "\27\3\3\0T", 5)                = 5                                                                                                         
read(7, "\224\267\300\227\345\0322\242\334aY\216H\f\246\364q=\356\276\327\3016N_q\333\n^\10\211Z"..., 84) = 84                                      
write(8, "\352;\33\202\v(m\2110~\223\367>\267k\215\301\244\376\317\323\27\200\346\270\254\320\337\267\\\253\303"..., 36

FD 0 is the watchdog stdin monitor
FD 5 must be the next GSRN listening connection
FD 7 is the GS connection (active)
FD 8 is the localhost forward (to sshd)

FD 3 could be the old forward or an old GS connection.

Bug ideas:

• old restored state?
• ssl shutdown fails without clearing fd

This bug could not be re-prodcued.

I am trying to use gsocket on a Raspberry Pi Zero with Raspbian OS 11, linux kernel 5.15.32+).

"Normal" gs-netcat works like a charm, also the reverse shell works.

However, the gs-sshd service does not work. It starts, but then, no connection is coming in. The other way around (connecting from the Pi Zero to a computer hosting the ssh daemon) works.

What can be the problem? Running gs-sshd with the debugging flag did not help.

when DNS or connect() fails then keep re-trying forever (but output to stdout that a retry is being attempted....).

This is helpful when gs-netcat is started during bootup but before dns or network becomes available. The workaround is -D at the moment.