Tunneling
The Goauld agent supports multiple transport mechanisms to communicate with the server. If a transport fails, the agent automatically falls back to the next available method.
The agent attempts to connect to the server using several transports:
- Direct SSH connection
- SSH over QUIC
- SSH over TLS
- SSH over WebSocket
- SSH over HTTP
- SSH over DNS
For each transport protocol, the agent tries establish a connection to the server, with a 60 seconds timeout (configurable using --ssh-timeout flag). If the connection is established, the agent finalizes the connection.
Otherwise, the agent connects using the next transport protocol (configurable using --rssh-order, e.g. --rssh-order=ssh,tls,ws,http,dns).
If no connection has been established after a full loop, the agent will try again.
Direct SSH connection
Flags
--ssh-server: ([IP/Hostname]:[PORT])
SSH over TLS
The SSH connection is encapsulated over a TLS connection.
We do not rely on the TLS encryption mechanism here. Instead, we use TLS so that some proxies might allow TLS traffic while blocking SSH
Flags
--tls-server: ([IP/Hostname]:[PORT]) The SSH server is configured using the--ssh-serverflag.
SSH over Websocket
The SSH connection is encapsulated over a Websocket connection.
This makes it easier to bypass restrictive proxies while maintaining acceptable performance.
Flags
--server: the websocket endpoint is[server]/wssh/
SSH over HTTP
The SSH connection is encapsulated over HTTP requests/responses.
This transport is considerably slower than the previous ones, but allows traffic to pass through proxies that block WebSockets for instance.
Flags
--server: the HTTP endpoint is[server]/sshttp/
SSH over DNS
This transport encapsulates SSH traffic inside DNS queries and responses, allowing communication in highly restricted environments where only DNS traffic is permitted.
This transport is considerably slower than the previous ones, but allows traffic to pass through proxies that block WebSockets.
Flags
--dns-server: the servers used as recursive DNS resolvers to reach the DNS server. If the goauld server is directly reachable, it is possible to add it.- The special value
systemallows to automatically add the detected system DNS servers to the list.
- The special value
--dns-domain: the domain on which DNS queries are performed
A short domain name allows to add more data in the queries, which could result in improving the speed
--custom-dns-command: in some context, the DNS queries are not feasible directly, but system commands such asResolve-DnsNameare still allowed to perform DNS queries. When this flag is used, the provided command is executed for each DNS query. The command is responsible for performing the DNS query, and parsing the DNS response and returning the response as raw bytes.
((Resolve-DnsName -Type TXT -Server 127.0.0.1 '%s')[0].Strings -join '' -replace '\s+', '' -split '..' | ForEach-Object { [Convert]::ToByte($_,16) } )
dig +short +unknownformat -t TXT '%s' @127.0.0.1 | head -n1 | cut -d ' ' -f3- | tr -d ' ' | xxd -r -p
Browser proxy
The agent can use a web browser to tunnel all the traffic.
- The agent exposes a simple Web pages with a custom javascript. The JavaScript open 4 websockets connections
- Two connecting to the server (Control & data)
- Two connecting to the agent (Control & data)
- The agent exposed custom endpoint to allow the browser to initiate the connection the the agent
- The Web pages pipes the websockets connections
Flags:
--browser-proxy-port: the port used to expose the custom web pages and the websockets endpoints use by the browser to connect to the agent.
Egress proxies
If required, the agent will try to reach the server using the proxy configuration identified on the system (see https://github.com/aus/proxyplease?tab=readme-ov-file#proxy-selection).
Flags
--proxy: use a custom proxy instead of the system proxy--proxy-username: Username to authenticate on the proxy--proxy-password: Username to authenticate on the proxy--proxy-domain: Domain to authenticate on the proxy--no-proxy: Ignore the system proxy
The proxy will be selected by the following priority:
Windows
--proxy [PROXY_URL](or any other means allowing configuration of theproxyflag, see general/compilation)- Environment Variable:
HTTPS_PROXY,HTTP_PROXY,FTP_PROXY, orALL_PROXY.NO_PROXYis respected. - Internet Options: Automatically detect settings (
WPAD) - Internet Options: Use automatic configuration script (
PAC) - Internet Options: Manual proxy server
- WINHTTP: (
netsh winhttp)
Linux
--proxy [PROXY_URL](or any other means allowing configuration of theproxyflag, see general/compilation)- Environment Variable:
HTTPS_PROXY,HTTP_PROXY,FTP_PROXY, orALL_PROXY.NO_PROXYis respected.
macOS
--proxy [PROXY_URL](or any other means allowing configuration of theproxyflag, see general/compilation)- Environment Variable:
HTTPS_PROXY,HTTP_PROXY,FTP_PROXY, orALL_PROXY.NO_PROXYis respected. - Network Settings:
scutil
Agent binding
The agent can expose a port on which the client connects to. (see client/agent-binding)
Flags
-rssh-order=bind--bind-port