MCPcopy Index your code
hub / github.com/SixGenInc/Noctilucent

github.com/SixGenInc/Noctilucent @v1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0 ↗ · + Follow
1,214 symbols 4,368 edges 117 files 367 documented · 30% updated 3y agov1.0 · 2020-08-05★ 6844 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Noctilucent

Description

This is the code developed and presented as part of the DEF CON 28 (Safe Mode) talk "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise."

Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud providers in April of 2018. However, with the arrival of TLS 1.3, new technologies enable a new kind of domain fronting. This time, network monitoring and internet censorship tools are able to be fooled on multiple levels. This talk will give an overview of what domain fronting is, how it used to work, how TLS 1.3 enables a new form of domain fronting, and what it looks like to network monitoring. You can circumvent censorship and monitoring today without modifying your tools using an open source TCP and UDP transport tool (Cloak) that will be released alongside this talk.

Talk: [TBD]

Slides are available in the docs folder.

Compiled test client, test server, and Cloak client binaries are available under "Releases."

Demos

Noctilucent test client bypassing Palo Alto 10.0 TLS decryption: [TBD]

Noctilucent Cloak client: [TBD]

Noctilucent Cloak client with CobaltStrike: [TBD]

Noctilucent built into DeimosC2 Agent: [TBD]

Layout

Noctilucent
├── Cloak # The Cloak fork
│   ├── build # Compiled Cloak binaries 
│   ├── cmd # Cloak client and server source code
│   ├── example_config # Configs for Cloak and Shadowsocks
│   └── internal # Code for Cloak client and server
├── DeimosC2 # Modified HTTPS agent source code
├── _dev
│   └── GOROOT # Modified Go source tree (tls is placed in here)
├── client # Test client source code
│   └── build # Test client binaries
├── docs # Slides and other docs
│   └── screenshots
├── example-traffic.pcapng # 2 requests made with Noctilucent
├── findfronts # Helper to find domains that can be used with Noctilucent
├── server # Test server (HTTP and websockets)
├── tls # Noctilucent tls library (copied to _dev/GOROOT)
└── websocket # Noctilucent websocket library

Build from source

Setup - Ubuntu 18.04

Install latest go from golang.org

Note: Developed with Go 1.14

sudo apt install make git gcc
make client # this will take a minute, we are replacing tls in the standard library and recompiling it
make cloak

Setup - macOS 10.15

Install latest go from golang.org

Note: Developed with Go 1.14

xcode-select --install
make client # this will take a minute, we are replacing tls in the standard library and recompiling it
make cloak

Client binaries are available in client/build and Cloak client binaries are available in Cloak/build.

The modifications made to Cloak can be seen in Cloak/git_diff.patch

Testing

Test Client

The server/server.go contains a sample HTTP and websocket server to test against. You can build the server and run it on your own VPS with go build inside the server directory. Setup a Cloudflare account and point a domain at your VPS. Ensure that SSL/TLS is set to "Flexible" as the server is not using TLS (or setup a reverse-proxy to handle TLS). Run the server binary (as root, it binds to port 80) on the VPS and replace defcon28.hackthis.computer in the examples with your domain. You can replace -serverName with anything (really, even non-domain strings) and -TLSHost with any site that is hosted behind Cloudflare (lots, try medium.com). Cloudflare has a helpful site for finding frontable domains here, or you can choose any from findfronts/frontable100k.txt.

TLS 1.3

TLS 1.3 with ESNI (ECH)

TLS 1.3 with ESNI (ECH) and Hiding

TLS 1.3 with ESNI (ECH), Hiding, and decoy SNI

TLS 1.3 with ESNI (ECH), Hiding, and decoy SNI - Websocket

Cloak Client

  1. Setup a standard Cloak + Shadowsocks server using this script.
  2. Download a shadowsocks-rust binary for your platform.
  3. Use the noctilucent-cloak-clinet and sslocal to create a local SOCKS proxy that is hidden behind a Cloudflare hosted domain. Example configs are available in Cloak/example_config and should be edited to match the values given by the Cloak + Shadowsocks setup script.

Thanks

This project is based on cloudflare's tls-tris and inspired by DigiNinja's rough openssl PoC work. It also includes a modified version of ahhh's DNS over HTTPS code, godns and of course Cloak.

Extension points exported contracts — how you extend this code

ClientSessionCache (Interface)
ClientSessionCache is a cache of ClientSessionState objects that can be used by a client to resume a TLS session with a [1 …
tls/common.go
Handler (FuncType)
Handler is a simple interface to a WebSocket browser client. It checks if Origin header is valid URL by default. You mig
websocket/server.go
SessionTicketSealer (Interface)
A SessionTicketSealer provides a way to securely encapsulate session state for storage on the client. All methods are sa
tls/ticket.go
Valve (Interface)
(no doc) [2 implementers]
Cloak/internal/multiplex/qos.go
ConnWithReadFromTimeout (Interface)
(no doc) [1 implementers]
Cloak/internal/client/piper.go
UserManager (Interface)
(no doc) [1 implementers]
Cloak/internal/server/usermanager/usermanager.go
Dialer (Interface)
(no doc) [1 implementers]
Cloak/internal/common/dialer.go
Transport (Interface)
(no doc)
Cloak/internal/client/transport.go

Core symbols most depended-on inside this repo

Error
called by 289
tls/alert.go
Write
called by 202
Cloak/internal/multiplex/recvBuffer.go
sendAlert
called by 139
tls/conn.go
Clone
called by 66
tls/common.go
marshal
called by 66
tls/common.go
Close
called by 65
tls/conn.go
Read
called by 56
Cloak/internal/multiplex/stream.go
Get
called by 50
tls/common.go

Shape

Method 511
Function 503
Struct 159
Interface 24
TypeAlias 14
FuncType 3

Languages

Go100%

Modules by API surface

tls/handshake_messages.go83 symbols
tls/13.go61 symbols
tls/handshake_server_test.go58 symbols
tls/handshake_client_test.go56 symbols
tls/conn.go56 symbols
tls/common.go54 symbols
tls/cipher_suites.go50 symbols
websocket/websocket.go42 symbols
websocket/hybi.go31 symbols
websocket/websocket_test.go30 symbols
tls/handshake_messages_test.go26 symbols
tls/tls_test.go25 symbols

For agents

$ claude mcp add Noctilucent \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page