GoHPTS (go-http-proxy-to-socks) v1.14.0: now with HTTP/2, HTTP/3 and Wireshark-ready pcap capture

I added HTTP/2, HTTP/3, and pcap capture support to GoHPTS, my open-source Go proxy tool. It already supported transparent proxy, ARP/NDP spoofing, and DNS spoofing - now you can also dump traffic directly to a pcap file. Repository and implementation details below:

HTTP2/HTTP3 support

GoHPTS proxy handles HTTP/1.1, HTTP/2, and HTTP/3 requests using the same server address and TLS certificate. This allows clients to automatically choose the best available protocol without changing configuration. TLS certificate can be obtained in several ways: cloud providers (Google, AWS, Cloudflare), free certificate from Let's Encrypt, or you can create self-signed certificate using openssl (Linux/macOS) or New-SelfSignedCertificate (Windows).

Example setup using self-signed certificate:

• Create key.pem and cert.pem files:

  openssl req -x509 -newkey rsa:2048 \
  -keyout key.pem \
  -out cert.pem \
  -sha256 \
  -days 365 \
  -nodes \
  -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=127.0.0.1" \
  -addext "subjectAltName=IP:127.0.0.1"

• Prepare socks5 server with UDP ASSOCIATE support

  git clone https://github.com/wzshiming/socks5.git && cd socks5
  go build -o socks5_server ./cmd/socks5/main.go
  ./bin/socks5_server -a 0.0.0.0:1080

• Open another terminal and install GoHPTS proxy:

  go install github.com/shadowy-pycoder/go-http-proxy-to-socks/cmd/gohpts@latest

• Finally:
  1. Create minimal config for your proxy

  # gohpts_config.yaml
  http_server:
    enabled: true
    address: 127.0.0.1:8080
    cert_file: ./cert.pem
    key_file: ./key.pem

  proxy_list:
    - address: 127.0.0.1:1080

  logging:
    debug: true

  sniffing:
    enabled: true
    body: true

Run the proxy:

  gohpts -f ./gohpts_config.yaml

1. Or if you prefer command line arguments:

  gohpts -l :8080 -s 1080 -c ./cert.pem -k ./key.pem -d -sniff -body

You should see something like that:

    [15:20:32] INF SOCKS5 Proxy: 127.0.0.1:1080
    [15:20:32] INF HTTPS Proxy: 127.0.0.1:8080
    [15:20:32] INF HTTP3 Proxy (QUIC): 127.0.0.1:8080

Test connection

• For HTTP/2 proxy server you can use curl:

    curl -Nvk --http2 --proxy-insecure --proxy-http2 --proxy https://localhost:8080 "https://stream.wikimedia.org/v2/stream/recentchange"

Press Ctrl+C to stop running stream.

• For HTTP/3 it is different since (at the time of writing) curl doesn't support HTTP3 proxy, so I will use my custom client I created for testing purposes.

Download and install Simple HTTP3 to SOCKS5 proxy example:

  git clone https://github.com/shadowy-pycoder/http3-socks-proxy.git && cd http3-socks-proxy
  make

Run the following command:

  ./bin/client -a 127.0.0.1:8080 www.google.com

You should see some gibberish resembling HTML page.

Go to terminal tab with GoHPTS proxy and check logs, you should see all your requests there.

Test connection in a browser

• Create proper self-signed ceritificate for browser:

  git clone https://github.com/shadowy-pycoder/go-http-proxy-to-socks.git
  cd go-http-proxy-to-socks
  cp ./resources/makecert.sh makecert.sh && chmod +x makecert.sh
  ./makecert.sh

More information can be found here: Creating a browser trusted, self signed, SSL certificate

• Add newly created rootCA.crt to system trust store:
  1. Debian/Ubuntu:

  sudo cp rootCA.crt /usr/local/share/ca-certificates/rootCA.crt
  sudo update-ca-certificates

1. Arch Linux/CachyOS/EndeavourOS:

  sudo trust anchor rootCA.crt

• Run the proxy using server.crt and server.key:

  gohpts -l :8080 -s 1080 -c ./server.crt -k ./server.key -d -sniff -body

• Run the browser and go to any website:

  chromium --proxy-server="https://127.0.0.1:8080"

Packet Capture

Traffic can be captured into pcap, pcapng or custom txt formats and later analyzed with tools like Wireshark, tcpdump and many others.

First, make sure GoHPTS executable has elevated privileges to be able to capture raw packets, you have two options:

• Run sudo setcap cap_net_raw+ep ~/go/bin/gohpts one time to give proxy raw traffic access
• Run proxy with sudo when you need to specify -pcap flag in CLI or pcap.enabled in file configuration.

Configure proxy using CLI:

gohpts -pcap "promisc true;timeout 10s;exts txt,pcap,pcapng"

Configuration file:

pcap:
  enabled: true
  settings: "promisc true;expr ip proto tcp;snaplen 65535;timeout 10s;packet_count 100;packet_buffer 8192;exts txt,pcap,pcapng"

These commands produce three packet capture files with corresponding formats that later can be analyzed by various tools.

For more information about pcap options see gohpts -h and https://github.com/shadowy-pycoder/mshark

Capture files can be opened and analyzed by special tools like Wireshark, they can also be converted to JSON/XML format to be analyzed and summarized by LLMs.

Other features

• Proxy Chain functionality\
  Supports strict, dynamic, random, round_robin chains of SOCKS5 proxy

• Transparent proxy\
  Supports redirect (SO_ORIGINAL_DST) and tproxy (IP_TRANSPARENT) modes

• TCP and UDP Transparent proxy\
  tproxy (IP_TRANSPARENT) handles TCP and UDP traffic

• Traffic sniffing\
  Proxy is able to parse HTTP headers, TLS handshake, DNS messages and more

• ARP spoofing\
  Proxy entire subnets with ARP spoofing approach

• NDP spoofing\
  Proxy IPv6 connections using Router/Neighbor Advertisement and RDNSS injections.

• DNS spoofing\
  Redirect clients to arbitrary domains using DNS records manipulation

• Lightweight and Fast\
  Designed with minimal overhead and efficient request handling.

• Cross-Platform\
  Compatible with all major operating systems.

Links:

https://github.com/shadowy-pycoder/mshark

https://codeberg.org/shadowy-pycoder/mshark