@omindu/yaksha 1.0.0

package/src/features/sni-spoof.js

@@ -0,0 +1,355 @@
+'use strict';
+
+/**
+ * Yaksha SNI Spoofing
+ * Intercept and replace Server Name Indication in TLS ClientHello
+ */
+
+const crypto = require('crypto');
+
+// Popular domains for SNI spoofing (categorized)
+const DOMAIN_LISTS = {
+  tech: [
+    'google.com', 'microsoft.com', 'apple.com', 'amazon.com',
+    'facebook.com', 'twitter.com', 'linkedin.com', 'github.com'
+  ],
+  cdn: [
+    'cloudflare.com', 'fastly.net', 'akamai.net', 'cloudfront.net',
+    'cdn77.com', 'stackpath.com', 'bunny.net', 'jsdelivr.net'
+  ],
+  popular: [
+    'youtube.com', 'netflix.com', 'spotify.com', 'instagram.com',
+    'reddit.com', 'wikipedia.org', 'twitch.tv', 'zoom.us'
+  ],
+  news: [
+    'nytimes.com', 'bbc.com', 'cnn.com', 'reuters.com',
+    'theguardian.com', 'wsj.com', 'bloomberg.com', 'forbes.com'
+  ]
+};
+
+// Flatten all domains into single array
+const ALL_DOMAINS = Object.values(DOMAIN_LISTS).flat();
+
+class SNISpoofing {
+  constructor(securityLevel = 'medium', options = {}) {
+    this.securityLevel = securityLevel;
+    this.mode = this._selectMode(securityLevel);
+    this.customDomains = options.customDomains || [];
+    this.bugHost = options.bugHost || null; // Custom bug host for network bypass
+    this.sniMap = new Map(); // original -> fake mapping
+    this.enabled = options.enabled !== false;
+  }
+
+  /**
+   * Select SNI spoofing mode based on security level
+   */
+  _selectMode(level) {
+    switch (level) {
+      case 'low':
+        return 'static';
+      case 'medium':
+        return 'random';
+      case 'high':
+        return 'context-aware';
+      default:
+        return 'random';
+    }
+  }
+
+  /**
+   * Get static fake SNI (always returns the same domain)
+   */
+  _getStaticSNI() {
+    // Use bug host if specified, otherwise use default
+    return this.bugHost || 'cloudflare.com';
+  }
+
+  /**
+   * Get random fake SNI from domain list
+   */
+  _getRandomSNI() {
+    const domains = this.customDomains.length > 0 
+      ? this.customDomains 
+      : ALL_DOMAINS;
+    
+    const randomIndex = crypto.randomInt(0, domains.length);
+    return domains[randomIndex];
+  }
+
+  /**
+   * Get context-aware fake SNI based on time and other factors
+   */
+  _getContextAwareSNI() {
+    const hour = new Date().getHours();
+    
+    // Select domain category based on time of day
+    let category;
+    if (hour >= 9 && hour < 17) {
+      // Business hours: use tech/professional domains
+      category = Math.random() < 0.7 ? 'tech' : 'news';
+    } else if (hour >= 17 && hour < 23) {
+      // Evening: use entertainment domains
+      category = Math.random() < 0.7 ? 'popular' : 'cdn';
+    } else {
+      // Night: mixed
+      category = Math.random() < 0.5 ? 'popular' : 'tech';
+    }
+
+    const domains = DOMAIN_LISTS[category];
+    const randomIndex = crypto.randomInt(0, domains.length);
+    
+    // Add timing jitter to avoid patterns
+    const jitter = crypto.randomInt(0, 100);
+    setTimeout(() => {}, jitter);
+
+    return domains[randomIndex];
+  }
+
+  /**
+   * Get fake SNI based on mode
+   */
+  getFakeSNI(originalSNI) {
+    if (!this.enabled) {
+      return originalSNI;
+    }
+
+    // If bug host is specified, always use it (highest priority)
+    if (this.bugHost) {
+      this.sniMap.set(originalSNI, this.bugHost);
+      return this.bugHost;
+    }
+
+    // Check if we already have a mapping
+    if (this.sniMap.has(originalSNI)) {
+      return this.sniMap.get(originalSNI);
+    }
+
+    let fakeSNI;
+
+    switch (this.mode) {
+      case 'static':
+        fakeSNI = this._getStaticSNI();
+        break;
+      case 'random':
+        fakeSNI = this._getRandomSNI();
+        break;
+      case 'context-aware':
+        fakeSNI = this._getContextAwareSNI();
+        break;
+      default:
+        fakeSNI = this._getRandomSNI();
+    }
+
+    // Store mapping
+    this.sniMap.set(originalSNI, fakeSNI);
+
+    return fakeSNI;
+  }
+
+  /**
+   * Get original SNI from fake SNI
+   */
+  getOriginalSNI(fakeSNI) {
+    for (const [original, fake] of this.sniMap.entries()) {
+      if (fake === fakeSNI) {
+        return original;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Parse TLS ClientHello to extract SNI
+   */
+  parseSNI(clientHello) {
+    try {
+      // TLS record header: 5 bytes
+      // Handshake header: 4 bytes
+      // Client version: 2 bytes
+      // Random: 32 bytes
+      // Session ID length: 1 byte
+      
+      let offset = 0;
+      
+      // Skip TLS record header
+      offset += 5;
+      
+      // Skip handshake header
+      offset += 4;
+      
+      // Skip client version
+      offset += 2;
+      
+      // Skip random
+      offset += 32;
+      
+      // Read session ID length and skip session ID
+      const sessionIdLength = clientHello[offset];
+      offset += 1 + sessionIdLength;
+      
+      // Read cipher suites length and skip cipher suites
+      const cipherSuitesLength = clientHello.readUInt16BE(offset);
+      offset += 2 + cipherSuitesLength;
+      
+      // Read compression methods length and skip compression methods
+      const compressionMethodsLength = clientHello[offset];
+      offset += 1 + compressionMethodsLength;
+      
+      // Read extensions length
+      if (offset + 2 > clientHello.length) {
+        return null; // No extensions
+      }
+      
+      const extensionsLength = clientHello.readUInt16BE(offset);
+      offset += 2;
+      
+      const extensionsEnd = offset + extensionsLength;
+      
+      // Parse extensions to find SNI (type 0x0000)
+      while (offset + 4 <= extensionsEnd) {
+        const extensionType = clientHello.readUInt16BE(offset);
+        const extensionLength = clientHello.readUInt16BE(offset + 2);
+        offset += 4;
+        
+        if (extensionType === 0x0000) { // SNI extension
+          // SNI extension format:
+          // - Server Name List Length: 2 bytes
+          // - Server Name Type: 1 byte (0 = host_name)
+          // - Server Name Length: 2 bytes
+          // - Server Name: variable
+          
+          offset += 2; // Skip list length
+          const nameType = clientHello[offset];
+          offset += 1;
+          
+          if (nameType === 0) { // host_name
+            const nameLength = clientHello.readUInt16BE(offset);
+            offset += 2;
+            const serverName = clientHello.toString('utf8', offset, offset + nameLength);
+            return serverName;
+          }
+        } else {
+          offset += extensionLength;
+        }
+      }
+      
+      return null;
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Replace SNI in TLS ClientHello
+   */
+  replaceSNI(clientHello, newSNI) {
+    try {
+      // Create a mutable copy
+      const modified = Buffer.from(clientHello);
+      
+      // Find SNI extension and replace
+      // This is a simplified implementation
+      // In production, use a proper TLS parser
+      
+      const originalSNI = this.parseSNI(clientHello);
+      if (!originalSNI) {
+        return modified; // No SNI to replace
+      }
+
+      // Find and replace SNI string
+      const originalSNIBuffer = Buffer.from(originalSNI, 'utf8');
+      const newSNIBuffer = Buffer.from(newSNI, 'utf8');
+      
+      const sniIndex = modified.indexOf(originalSNIBuffer);
+      if (sniIndex === -1) {
+        return modified;
+      }
+
+      // If new SNI is same length, simple replacement
+      if (originalSNIBuffer.length === newSNIBuffer.length) {
+        newSNIBuffer.copy(modified, sniIndex);
+        return modified;
+      }
+
+      // Different lengths require rebuilding the packet
+      // For simplicity, we'll pad/truncate to same length
+      if (newSNIBuffer.length < originalSNIBuffer.length) {
+        // Pad with zeros
+        newSNIBuffer.copy(modified, sniIndex);
+        modified.fill(0, sniIndex + newSNIBuffer.length, sniIndex + originalSNIBuffer.length);
+      } else {
+        // Truncate
+        newSNIBuffer.copy(modified, sniIndex, 0, originalSNIBuffer.length);
+      }
+
+      // Update SNI length field (2 bytes before SNI)
+      modified.writeUInt16BE(Math.min(newSNIBuffer.length, originalSNIBuffer.length), sniIndex - 2);
+
+      return modified;
+    } catch (error) {
+      // On error, return original
+      return clientHello;
+    }
+  }
+
+  /**
+   * Spoof SNI in ClientHello packet
+   */
+  spoof(clientHello, originalSNI = null) {
+    if (!this.enabled) {
+      return clientHello;
+    }
+
+    // Extract original SNI if not provided
+    if (!originalSNI) {
+      originalSNI = this.parseSNI(clientHello);
+    }
+
+    if (!originalSNI) {
+      return clientHello; // No SNI found
+    }
+
+    // Get fake SNI
+    const fakeSNI = this.getFakeSNI(originalSNI);
+
+    // Replace SNI in ClientHello
+    return this.replaceSNI(clientHello, fakeSNI);
+  }
+
+  /**
+   * Enable SNI spoofing
+   */
+  enable() {
+    this.enabled = true;
+  }
+
+  /**
+   * Disable SNI spoofing
+   */
+  disable() {
+    this.enabled = false;
+  }
+
+  /**
+   * Clear SNI mapping cache
+   */
+  clearCache() {
+    this.sniMap.clear();
+  }
+
+  /**
+   * Get statistics
+   */
+  getStats() {
+    return {
+      enabled: this.enabled,
+      mode: this.mode,
+      mappings: this.sniMap.size,
+      domains: this.customDomains.length || ALL_DOMAINS.length
+    };
+  }
+}
+
+module.exports = SNISpoofing;
+module.exports.DOMAIN_LISTS = DOMAIN_LISTS;
+module.exports.ALL_DOMAINS = ALL_DOMAINS;

package/src/features/tls-camouflage.js

@@ -0,0 +1,369 @@
+'use strict';
+
+/**
+ * Yaksha TLS 1.3 Camouflage
+ * Make VPN traffic look like legitimate HTTPS/TLS traffic
+ */
+
+const crypto = require('crypto');
+const Logger = require('../utils/logger');
+
+// TLS 1.3 cipher suites
+const CIPHER_SUITES = [
+  0x1301, // TLS_AES_128_GCM_SHA256
+  0x1302, // TLS_AES_256_GCM_SHA384
+  0x1303, // TLS_CHACHA20_POLY1305_SHA256
+];
+
+// TLS extensions
+const EXTENSIONS = {
+  SERVER_NAME: 0x0000,
+  MAX_FRAGMENT_LENGTH: 0x0001,
+  STATUS_REQUEST: 0x0005,
+  SUPPORTED_GROUPS: 0x000a,
+  EC_POINT_FORMATS: 0x000b,
+  SIGNATURE_ALGORITHMS: 0x000d,
+  ALPN: 0x0010,
+  SIGNED_CERTIFICATE_TIMESTAMP: 0x0012,
+  EXTENDED_MASTER_SECRET: 0x0017,
+  SESSION_TICKET: 0x0023,
+  SUPPORTED_VERSIONS: 0x002b,
+  PSK_KEY_EXCHANGE_MODES: 0x002d,
+  KEY_SHARE: 0x0033
+};
+
+// ALPN protocols
+const ALPN_PROTOCOLS = ['h2', 'http/1.1'];
+
+class TLSCamouflage {
+  constructor(securityLevel = 'medium', options = {}) {
+    this.securityLevel = securityLevel;
+    this.mode = this._selectMode(securityLevel);
+    this.enabled = options.enabled !== false;
+    this.serverName = options.serverName || 'cloudflare.com';
+    this.alpnProtocols = options.alpnProtocols || ALPN_PROTOCOLS;
+    
+    this.logger = new Logger({ prefix: 'TLS-Camouflage' });
+  }
+
+  /**
+   * Select camouflage mode based on security level
+   */
+  _selectMode(level) {
+    switch (level) {
+      case 'low':
+        return 'basic';
+      case 'medium':
+        return 'full';
+      case 'high':
+        return 'nested';
+      default:
+        return 'full';
+    }
+  }
+
+  /**
+   * Build TLS ClientHello packet
+   */
+  buildClientHello(options = {}) {
+    const serverName = options.serverName || this.serverName;
+    const sessionId = options.sessionId || crypto.randomBytes(32);
+
+    // TLS Record Header (5 bytes)
+    const recordHeader = Buffer.allocUnsafe(5);
+    recordHeader.writeUInt8(0x16, 0); // Content Type: Handshake
+    recordHeader.writeUInt16BE(0x0301, 1); // Legacy Version: TLS 1.0
+    // Length will be filled later
+
+    // Handshake Header (4 bytes)
+    const handshakeHeader = Buffer.allocUnsafe(4);
+    handshakeHeader.writeUInt8(0x01, 0); // Handshake Type: ClientHello
+    // Length will be filled later
+
+    // ClientHello
+    const clientHello = [];
+
+    // Client Version (2 bytes) - TLS 1.2 for compatibility
+    const clientVersion = Buffer.allocUnsafe(2);
+    clientVersion.writeUInt16BE(0x0303, 0);
+    clientHello.push(clientVersion);
+
+    // Random (32 bytes)
+    const random = crypto.randomBytes(32);
+    clientHello.push(random);
+
+    // Session ID Length (1 byte) + Session ID
+    const sessionIdLength = Buffer.allocUnsafe(1);
+    sessionIdLength.writeUInt8(sessionId.length, 0);
+    clientHello.push(sessionIdLength, sessionId);
+
+    // Cipher Suites Length (2 bytes) + Cipher Suites
+    const cipherSuitesLength = Buffer.allocUnsafe(2);
+    cipherSuitesLength.writeUInt16BE(CIPHER_SUITES.length * 2, 0);
+    clientHello.push(cipherSuitesLength);
+    
+    for (const suite of CIPHER_SUITES) {
+      const suiteBuffer = Buffer.allocUnsafe(2);
+      suiteBuffer.writeUInt16BE(suite, 0);
+      clientHello.push(suiteBuffer);
+    }
+
+    // Compression Methods Length (1 byte) + Compression Methods
+    const compressionMethods = Buffer.from([0x01, 0x00]); // No compression
+    clientHello.push(compressionMethods);
+
+    // Extensions
+    const extensions = this._buildExtensions(serverName);
+    clientHello.push(extensions);
+
+    // Combine ClientHello
+    const clientHelloBuffer = Buffer.concat(clientHello);
+
+    // Update handshake length
+    handshakeHeader.writeUIntBE(clientHelloBuffer.length, 1, 3);
+
+    // Combine handshake
+    const handshake = Buffer.concat([handshakeHeader, clientHelloBuffer]);
+
+    // Update record length
+    recordHeader.writeUInt16BE(handshake.length, 3);
+
+    // Complete TLS record
+    return Buffer.concat([recordHeader, handshake]);
+  }
+
+  /**
+   * Build TLS extensions
+   */
+  _buildExtensions(serverName) {
+    const extensions = [];
+
+    // Server Name Indication (SNI)
+    const sniExtension = this._buildSNIExtension(serverName);
+    extensions.push(sniExtension);
+
+    // Supported Versions
+    const supportedVersions = Buffer.from([
+      0x00, 0x2b, // Extension Type: supported_versions
+      0x00, 0x03, // Length: 3
+      0x02,       // Supported Versions Length: 2
+      0x03, 0x04  // TLS 1.3
+    ]);
+    extensions.push(supportedVersions);
+
+    // Supported Groups (Elliptic Curves)
+    const supportedGroups = Buffer.from([
+      0x00, 0x0a, // Extension Type: supported_groups
+      0x00, 0x08, // Length: 8
+      0x00, 0x06, // Supported Groups Length: 6
+      0x00, 0x1d, // x25519
+      0x00, 0x17, // secp256r1
+      0x00, 0x18  // secp384r1
+    ]);
+    extensions.push(supportedGroups);
+
+    // Signature Algorithms
+    const signatureAlgorithms = Buffer.from([
+      0x00, 0x0d, // Extension Type: signature_algorithms
+      0x00, 0x08, // Length: 8
+      0x00, 0x06, // Signature Algorithms Length: 6
+      0x04, 0x03, // ecdsa_secp256r1_sha256
+      0x05, 0x03, // ecdsa_secp384r1_sha384
+      0x06, 0x03  // ecdsa_secp521r1_sha512
+    ]);
+    extensions.push(signatureAlgorithms);
+
+    // ALPN
+    const alpnExtension = this._buildALPNExtension();
+    extensions.push(alpnExtension);
+
+    // Key Share
+    const keyShareExtension = this._buildKeyShareExtension();
+    extensions.push(keyShareExtension);
+
+    // Extended Master Secret
+    const extendedMasterSecret = Buffer.from([
+      0x00, 0x17, // Extension Type: extended_master_secret
+      0x00, 0x00  // Length: 0
+    ]);
+    extensions.push(extendedMasterSecret);
+
+    // Session Ticket
+    const sessionTicket = Buffer.from([
+      0x00, 0x23, // Extension Type: session_ticket
+      0x00, 0x00  // Length: 0
+    ]);
+    extensions.push(sessionTicket);
+
+    // Combine all extensions
+    const extensionsBuffer = Buffer.concat(extensions);
+
+    // Extensions length prefix
+    const extensionsLength = Buffer.allocUnsafe(2);
+    extensionsLength.writeUInt16BE(extensionsBuffer.length, 0);
+
+    return Buffer.concat([extensionsLength, extensionsBuffer]);
+  }
+
+  /**
+   * Build SNI extension
+   */
+  _buildSNIExtension(serverName) {
+    const serverNameBuffer = Buffer.from(serverName, 'utf8');
+    
+    const extension = Buffer.allocUnsafe(9 + serverNameBuffer.length);
+    extension.writeUInt16BE(EXTENSIONS.SERVER_NAME, 0); // Extension Type
+    extension.writeUInt16BE(5 + serverNameBuffer.length, 2); // Extension Length
+    extension.writeUInt16BE(3 + serverNameBuffer.length, 4); // Server Name List Length
+    extension.writeUInt8(0x00, 6); // Server Name Type: host_name
+    extension.writeUInt16BE(serverNameBuffer.length, 7); // Server Name Length
+    serverNameBuffer.copy(extension, 9);
+
+    return extension;
+  }
+
+  /**
+   * Build ALPN extension
+   */
+  _buildALPNExtension() {
+    const protocols = [];
+    let totalLength = 0;
+
+    for (const protocol of this.alpnProtocols) {
+      const protocolBuffer = Buffer.from(protocol, 'utf8');
+      const protocolEntry = Buffer.allocUnsafe(1 + protocolBuffer.length);
+      protocolEntry.writeUInt8(protocolBuffer.length, 0);
+      protocolBuffer.copy(protocolEntry, 1);
+      protocols.push(protocolEntry);
+      totalLength += protocolEntry.length;
+    }
+
+    const protocolsBuffer = Buffer.concat(protocols);
+
+    const extension = Buffer.allocUnsafe(6 + totalLength);
+    extension.writeUInt16BE(EXTENSIONS.ALPN, 0); // Extension Type
+    extension.writeUInt16BE(2 + totalLength, 2); // Extension Length
+    extension.writeUInt16BE(totalLength, 4); // ALPN List Length
+    protocolsBuffer.copy(extension, 6);
+
+    return extension;
+  }
+
+  /**
+   * Build Key Share extension
+   */
+  _buildKeyShareExtension() {
+    // Generate ephemeral X25519 key pair
+    const keyPair = crypto.generateKeyPairSync('x25519');
+    const publicKey = keyPair.publicKey.export({ type: 'spki', format: 'der' });
+    
+    // Extract raw public key (last 32 bytes of SPKI)
+    const rawPublicKey = publicKey.slice(-32);
+
+    const extension = Buffer.allocUnsafe(40);
+    extension.writeUInt16BE(EXTENSIONS.KEY_SHARE, 0); // Extension Type
+    extension.writeUInt16BE(36, 2); // Extension Length
+    extension.writeUInt16BE(34, 4); // Key Share List Length
+    extension.writeUInt16BE(0x001d, 6); // Group: x25519
+    extension.writeUInt16BE(32, 8); // Key Exchange Length
+    rawPublicKey.copy(extension, 10);
+
+    return extension;
+  }
+
+  /**
+   * Wrap data in TLS Application Data record
+   */
+  wrapApplicationData(data) {
+    // TLS Record Header
+    const recordHeader = Buffer.allocUnsafe(5);
+    recordHeader.writeUInt8(0x17, 0); // Content Type: Application Data
+    recordHeader.writeUInt16BE(0x0303, 1); // Version: TLS 1.2
+    recordHeader.writeUInt16BE(data.length, 3); // Length
+
+    return Buffer.concat([recordHeader, data]);
+  }
+
+  /**
+   * Camouflage VPN data
+   */
+  camouflage(data, options = {}) {
+    if (!this.enabled) {
+      return data;
+    }
+
+    switch (this.mode) {
+      case 'basic':
+        // Just wrap in TLS record
+        return this.wrapApplicationData(data);
+
+      case 'full':
+        // Add realistic TLS patterns
+        if (options.isHandshake) {
+          return this.buildClientHello(options);
+        }
+        return this.wrapApplicationData(data);
+
+      case 'nested':
+        // Real TLS tunnel with nested VPN encryption
+        // This would require actual TLS implementation
+        // For now, use full mode
+        return this.wrapApplicationData(data);
+
+      default:
+        return data;
+    }
+  }
+
+  /**
+   * Extract data from TLS record
+   */
+  extract(tlsRecord) {
+    if (!this.enabled || tlsRecord.length < 5) {
+      return tlsRecord;
+    }
+
+    // Check if this is a TLS record
+    const contentType = tlsRecord.readUInt8(0);
+    
+    if (contentType !== 0x17) { // Application Data
+      return tlsRecord;
+    }
+
+    // Extract payload (skip 5-byte header)
+    return tlsRecord.slice(5);
+  }
+
+  /**
+   * Enable camouflage
+   */
+  enable() {
+    this.enabled = true;
+    this.logger.info('TLS camouflage enabled');
+  }
+
+  /**
+   * Disable camouflage
+   */
+  disable() {
+    this.enabled = false;
+    this.logger.info('TLS camouflage disabled');
+  }
+
+  /**
+   * Get statistics
+   */
+  getStats() {
+    return {
+      enabled: this.enabled,
+      mode: this.mode,
+      serverName: this.serverName,
+      alpnProtocols: this.alpnProtocols
+    };
+  }
+}
+
+module.exports = TLSCamouflage;
+module.exports.CIPHER_SUITES = CIPHER_SUITES;
+module.exports.EXTENSIONS = EXTENSIONS;
+module.exports.ALPN_PROTOCOLS = ALPN_PROTOCOLS;