Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added traffic plugin support #549

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added traffic plugin support #549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
20b8c79
Add traffic plugins
Feb 26, 2023
630d1cd
Added VncTokenAuthenticationTrafficPlugin
Feb 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,10 @@ These are not necessary for the basic operation.
options, where CLASS is usually one from token_plugins.py and ARG is
the plugin's configuration.

* Traffic plugins: an instance per connection to intercept and modify traffic
This functionality is activated with the `--traffic-plugin CLASS`, where
CLASS is an implementation of the traffic_plugin BasePlugin.

### Other implementations of websockify

The primary implementation of websockify is in python. There are
Expand Down
47 changes: 47 additions & 0 deletions websockify/plugins.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
from websockify.traffic_plugins import BasePlugin
from websockify import pyDes

class RFBDes(pyDes.des):
def setKey(self, key):
"""RFB protocol for authentication requires client to encrypt
challenge sent by server with password using DES method. However,
bits in each byte of the password are put in reverse order before
using it as encryption key."""
newkey = []
for ki in range(len(key)):
bsrc = ord(key[ki])
btgt = 0
for i in range(8):
if bsrc & (1 << i):
btgt = btgt | (1 << 7 - i)
newkey.append(btgt)
super(RFBDes, self).setKey(newkey)

"""Intercepts VNC traffic and injects the password from a provided token"""
class VncTokenAuthenticationTrafficPlugin(BasePlugin):
def __init__(self, handler, tsock):
super().__init__(handler, tsock)
self.password = self.handler.target_attribtues["password"]
self.client_packet_count = 0
self.target_packet_count = 0

def from_client(self, s):
self.client_packet_count += 1
if self.client_packet_count == 2:
return None
return s

def from_target(self, s):
self.target_packet_count += 1
if self.target_packet_count == 2 and b"\x02" in s[1:]: # check if password is supported
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid this is a bit fragile. There is no guarantee that the stream will be split in packages in a specific way.

Some rudimentary protocol handling will be needed here.

Have you considered a proxy model, instead of this filtering model? It might be a better fit.

self.tsock.send(b'\x02')
self.handle_auth = True
s = None # dont forward to client
if self.target_packet_count == 3 and self.handle_auth: # challenge
self.handle_auth = False
pw = (self.password + '\0' * 8)[:8] # make sure its 8 chars long, zero padded
des = RFBDes(pw)
response = des.encrypt(s)
self.tsock.send(response)
return b'\x01\x01' # send "no auth" required to client
return s
Loading