spaze / oprah-proxy Goto Github PK
View Code? Open in Web Editor NEWGenerate credentials for Opera's "browser VPN"
License: MIT License
Generate credentials for Opera's "browser VPN"
License: MIT License
Hi, I used the .pac file created by myself (try using both the domain and the ip address directly) under MacOS or iOS. There will be no pop up for credential, instead there is just no internet access.
Once again, they've broken the request syntax.
If anyone still maintains this project, please find a minute to fix it. :)
2017-04-18 28:63:55,625 DEBUG Geo list fetched
2017-04-18 28:63:55,633 DEBUG Call discover CA
2017-04-18 28:63:56,790 DEBUG "POST /v2/discover HTTP/1.1" 200 None
2017-04-18 28:63:56,801 DEBUG ERROR: Invalid client.
Yep, resistance is useless, but they keep on trying.
2017-05-27 09:27:38,345 DEBUG "POST /v2/register_subscriber HTTP/1.1" 200 None
2017-05-27 09:27:38,348 DEBUG ERROR: Unknown or invalid client type/product code provided.
Is there any fresh fix for that? Muchos gracias!
Hi,
It'd be super nice if the script could automatically do a couple pings to each server and automatically find the closest server.
Cheers :)
~ python3 Downloads/oprah-proxy-master/oprahProxy.py
2017-06-14 13:39:53,631 DEBUG ++++++++++++++++++++++++++=======================~~~~~~~::::
2017-06-14 13:39:53,632 DEBUG ,..,,,.,,...,,,.,,,,,,,,,,............,.....,.,,::::~~======
2017-06-14 13:39:53,632 DEBUG ,,,,,:,,,,,,,,,,,,,, ,.,,,,,,,,,,,,,....~
2017-06-14 13:39:53,632 DEBUG ~~~~~~~::::::::::::: YOU GET A PROXY! ,,,,,,,,,,,,,,,,,:~=
2017-06-14 13:39:53,632 DEBUG ~~===~~~~::::::::::. ,,,,,,,,,,,,,,,~~~:~
2017-06-14 13:39:53,632 DEBUG ::~:::::::::::::::,,...,~=::~=~:.....,,,,,,,,,,,,,,,:~:~:,::
2017-06-14 13:39:53,632 DEBUG ??+=..,++++++++++=.....:===I+~=~....,,~~=~~~~~~~:~====~,,::~
2017-06-14 13:39:53,632 DEBUG ::~....,...............~=~~~~:=~,...,.~~~======~==++=~:====+
2017-06-14 13:39:53,633 DEBUG ::~...,:,,,,,,,,.......:==~+=:~:,.....,,,,,,,~~~====~,,,,,,,
2017-06-14 13:39:53,633 DEBUG :::~~~:,::,,::::,......+~~===~:,.....,,,,,,~~~~~==~,,,,....,
2017-06-14 13:39:53,633 DEBUG ~:~:,,,,,:::::,..........~~::~,:....:~~~~~::::~:::::,,,,,,,,
2017-06-14 13:39:53,633 DEBUG ~...~~~,,::~~::~:........~~~:~::.:,,:~::::::::::::::::::::::
2017-06-14 13:39:53,633 DEBUG +..???+?~,::::::::::::~:~::~~~:~::::::::::::::::~~=~~~~~~~~=
2017-06-14 13:39:53,633 DEBUG ...?????+?,.:::::::::::~~:~~::~:::::::::::::::,~++++++++++++
2017-06-14 13:39:53,633 DEBUG ?=??????+??~,::::::::~~~~~~~~~~::::::::::::::,=+++++++++++++
2017-06-14 13:39:53,633 DEBUG ????????????::::::,::~~~~~~~~~~:::::::::::::,+++++++++++++++
2017-06-14 13:39:53,633 DEBUG ??+??????????:,,::,:::~~~~~~~:::::::::::::,+++++++++++++++++
2017-06-14 13:39:53,633 DEBUG ??????????????+,,,,:::~~,~~~~~:::=,:::::,?+?++++++++++++++++
2017-06-14 13:39:53,633 DEBUG ????????????????+,:::~~:,~~~~~~~~:~::::=+??+?++?++++++++++++
2017-06-14 13:39:53,634 DEBUG ??????????????????:::~~~~~~~~~~~:::::::???????++++++++++++++
2017-06-14 13:39:53,634 DEBUG ??????????????????=:::~~~~~~~~~::::::::+??????+++++?+?++++++
2017-06-14 13:39:53,634 DEBUG =+==+====++++++++==:::~:,~~~~~:::,::::~====~~::::,,...,:~~=+
2017-06-14 13:39:53,634 DEBUG ++++++++++++===++++::~:~~~~~~::::~::::=+++++++++++++========
2017-06-14 13:39:53,634 DEBUG =====+++++=====++++:~:~~~~~~::::::::::~++===================
2017-06-14 13:39:53,634 DEBUG +++==+======+++ ==================
2017-06-14 13:39:53,634 DEBUG ~~~~==========~ EVERYBODY GETS A PROXY! ~~~~~~~~~~~~~~~~~~
2017-06-14 13:39:53,634 DEBUG ~~~~~~~~~~~===~ ~~~~~~~~~~~~~~~~~~
2017-06-14 13:39:53,634 DEBUG =============++===:::::::::::::::::::::~~~~~~~~~~~~~~~~~~~:~
2017-06-14 13:39:53,634 DEBUG https://github.com/spaze/oprah-proxy :::==~=~~~~~~~~=~~~~~~~
2017-06-14 13:39:53,635 DEBUG Call register_subscriber
2017-06-14 13:39:53,635 DEBUG Your SurfEasy email: ed0ecd02-1c74-4a1c-a54a-b126570204f4@<put client type here>.surfeasy.vpn
2017-06-14 13:39:53,635 DEBUG Your SurfEasy password: 2e6abc52-da89-4d75-aabb-708111617647
2017-06-14 13:39:53,635 DEBUG Your SurfEasy password hash: 2DDA99C2E100C54FC2C51C2177B9886C73F8E7C4
2017-06-14 13:39:53,635 DEBUG These are not the credentials you are looking for (you won't probably need these, ever)
2017-06-14 13:39:53,640 DEBUG Starting new HTTPS connection (1): api.surfeasy.com
2017-06-14 13:39:54,805 DEBUG https://api.surfeasy.com:443 "POST /v2/register_subscriber HTTP/1.1" 200 None
2017-06-14 13:39:54,806 DEBUG ERROR: Unknown or invalid client type/product code provided.
Looks similar to #12, but this time it's just NL:
2017-04-22 02:36:51,412 DEBUG Call geo_list
2017-04-22 02:36:51,743 DEBUG "POST /v2/geo_list HTTP/1.1" 200 None
2017-04-22 02:36:51,745 INFO Supported country: CA Canada
2017-04-22 02:36:51,747 INFO Supported country: US United States
2017-04-22 02:36:51,747 INFO Supported country: DE Germany
2017-04-22 02:36:51,748 INFO Supported country: NL Netherlands
2017-04-22 02:36:51,748 INFO Supported country: SG Singapore
2017-04-22 02:36:51,749 DEBUG Geo list fetched
2017-04-22 02:36:51,749 DEBUG Call discover CA
2017-04-22 02:36:52,067 DEBUG "POST /v2/discover HTTP/1.1" 200 None
2017-04-22 02:36:52,068 INFO Your location is CZ/52
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.19.134:443
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.31:80
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.173:8181
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.126:22
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.120:443
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.119:80
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.17.50:8181
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.144:22
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.18.46:443
2017-04-22 02:36:52,068 INFO Proxy in NL/0 185.137.17.53:80
2017-04-22 02:36:52,069 DEBUG 10 proxies discovered
2017-04-22 02:36:52,069 DEBUG Call discover US
2017-04-22 02:36:52,407 DEBUG "POST /v2/discover HTTP/1.1" 200 None
2017-04-22 02:36:52,408 INFO Your location is CZ/52
2017-04-22 02:36:52,408 INFO Proxy in NL/0 185.137.18.224:443
2017-04-22 02:36:52,408 INFO Proxy in NL/0 185.137.17.13:80
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.19.139:8181
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.18.80:22
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.19.238:443
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.18.120:80
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.17.40:8181
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.18.205:22
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.18.154:443
2017-04-22 02:36:52,409 INFO Proxy in NL/0 185.137.18.52:80
2017-04-22 02:36:52,409 DEBUG 10 proxies discovered
For https://github.com/spaze/oprah-proxy/blob/master/pac.js
Sample fixed PAC file
function FindProxyForURL(url, host) {
// bypass proxy for local addresses
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// DEFAULT RULE: All other traffic use this proxy
return 'HTTPS ca.opera-proxy.net:443';
}
General PAC reference
https://support.mozilla.org/en-US/kb/advanced-panel-settings-in-firefox#w_connection
https://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx
https://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_file_sample.aspx
http://findproxyforurl.com/example-pac-file/
PAC validator / parser utilities
https://chentiangemalc.wordpress.com/2013/09/30/pacdbg-custom-proxy-browser-set-proxy-cmd-line-tool/
https://github.com/pacparser/pacparser
How to use a local PAC file instead of cloud hosted file
https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/PACAP.html#wp1015209
In-browser PAC editor
https://addons.mozilla.org/en-US/firefox/addon/pac-reloader
The api responds with this error:
{'data': {}, 'return_code': {'19': 'Invalid client.'}}
In the usage
oprahProxy.py <client_type> <client_key>
what are these client_type and client_key stand for? Can you add bit more detail on how to obtain those or what are valid client_type?
Trying to analyze their handshake. Had set up mitmproxy, added a trusted CA.
Firefox works fine. Opera w/o vpn works fine.
But when trying to connect to vpn, mitmproxy says:
The client may not trust the proxy's certificate for api.surfeasy.com.
I suspect they're using cert pinning of some sort? Any ideas?
As mentioned in several places (like #3 and this tweet), the openssl s_client
example does not work with HTTPS. That's correct and I should do something about it.
The thing is, when connecting to an HTTPS site the proxy needs CONNECT https://httpbin.org/ip HTTP/1.0
instead of GET https://httpbin.org/ip HTTP/1.0
and then expects a full TLS stream. I don't know if this can be achieved with just openssl s_client
, maybe not.
s_client
example is just for HTTP, not HTTPS.After got the secret sauce:
basic_auth, proxy, port = get_proxy()
I find that one low-level way to use it is:
req = 'GET {url} HTTP/1.0\nProxy-Authorization: BASIC {basic_auth}\n\n'.format(
url='http://httpbin.org/ip', basic_auth=basic_auth)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.wrap_socket(sock)
sock.connect((proxy, port))
sock.send(req.encode('ascii'))
print(sock.recv(1024))
sock.close()
Another method needs an ugly monkey patch of HTTPSConnection
to avoid SNI error:
class PatchedContext:
def __init__(self, conn):
conn._check_hostname = False
conn._context.check_hostname = False
self.ctx = conn._context
def __getattr__(self, attr):
if attr == 'wrap_socket':
return lambda sock, server_hostname: self.ctx.wrap_socket(sock)
return getattr(self.ctx, attr)
conn = http.client.HTTPSConnection(proxy, port)
conn._context = PatchedContext(conn)
conn.request("GET", "http://httpbin.org/ip",
headers={"Proxy-Authorization": "BASIC "+basic_auth})
print(conn.getresponse().read())
Combination of device_hash, client_type and api_key doesn't seem to be working
for some reason it doesn't work.
although script shows me correct credentials such as:
https://api.surfeasy.com:443 "POST /v2/discover HTTP/1.1" 200 None
2017-05-08 00:20:59,564 INFO Your location is RU/71
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.17.99:443
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.18.106:80
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.18.182:8181
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.18.120:22
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.18.218:443
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.18.84:80
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.17.90:8181
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.18.102:22
2017-05-08 00:20:59,565 INFO Proxy in NL/7 188.166.53.215:443
2017-05-08 00:20:59,566 INFO Proxy in NL/0 185.137.19.126:80
2017-05-08 00:20:59,566 DEBUG 10 proxies discovered
2017-05-08 00:20:59,566 INFO Pick a proxy from the list above and use these credentials:
2017-05-08 00:20:59,566 INFO Username: $$$$$$
2017-05-08 00:20:59,566 INFO Password: #########
2017-05-08 00:20:59,566 INFO HTTP header Proxy-Authorization: Basic ####$$$$!!!!!!!
in a browsers none off the proxies listed above work directly with ip:port designation - empty response. when using pac.js file the best i've managed to achieve is: "Authentication credentials required" message in browser windows. no proxy basic auth windows appears as it should with common proxy solutions with manual auth. my local proxies with basic auth are working as expected showing an auth window in all the browsers.
tried firefox, ie11, chromium 60. nothing. one time the proxy auth windows appeared in firefox, but after restart it's gone again.
in opera's native mode everything is working though.
i've tried cascading proxy with manual basic auth (ccproxy) - also doesn't work.
any suggestions?
Thanks for creating this script, man!
Can you elaborate on the following: to test your statement that OperaVPN is just a proxy, I ran a quick and dirty gimmick:
Ipad (Jailbroken 8.3)
Kali Linux
Ettercap, Wireshark.
Did MITM ARP poison on Kali and routed Ipad's traffic to it.
VPN ON:
All visible traffic is between the vpn gate in Germany and ipad's local ip. No other SRC or DST ip's.
Not even dns queries. Launched browsers, messengers, different apps.
VPN OFF:
Direct connections to hundreds of ip's, dns queries to apple servers, TLS etc.
Just as expected.
When VPN is on, a new interface is up:
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 10.251.17.218 --> 10.251.17.218 netmask 0xffffffff
From what I see, it talks via ESP (Encapsulating Security Payload) which I'm not familiar with, but I reckon its part of IPSec family?
So please cure my ignorance, what I did wrong? Thanks!
The PAC file uses hardcoded location (DE), if you want to use other location just download the file, change the hostname (available hostnames are {ca,de,us}.opera-proxy.net), change your browser configuration, and you should be ready to go.
^^^
Just want to clarify it: what does "change your browser configuration" mean?
If I edit pac.js and put US or CA instead of DE, what shall I do next?
Save the edited file locally and point Auto-detect to something like file://..../pac.js ?
Opera 45.0.2552.812 has switched to v4 API. That API uses HTTP Digest Authentication instead of SE-...
HTTP headers.
POST /v4/register_subscriber HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 128
Accept: application/json
SE-Client-Version: Stable 45.0.2552.812
SE-Operating-System: Windows
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 OPR/45.0.2552.812
Accept-Encoding: gzip, deflate, br
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.0
Date: Thu, 18 May 2017 20:32:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Status: 401 Unauthorized
WWW-Authenticate: Digest realm="ApiDigest", qop="auth", algorithm=SHA-256, nonce="MTQ5NTEzOTUyNDozNDEyMjA0OWY0ZjE4ZDgwZDFjOGI5M2ZiNmUyMzYyMWI4Y2NiYTNiMDEwZTdmNzU0NzY2ZTNjOTA2NmYwYWM2", opaque="a6feff632d495616728c8ef3532064ca457e3d0badcfa2db349a0433dcc4520f"
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: 66c73f05d6950077cfd83b58fc9f498e
X-Runtime: 0.009371
X-Rack-Cache: invalidate, pass
POST /v4/register_subscriber HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 128
Authorization: Digest username="se0316", realm="ApiDigest", nonce="MTQ5NTEzOTUyNDozNDEyMjA0OWY0ZjE4ZDgwZDFjOGI5M2ZiNmUyMzYyMWI4Y2NiYTNiMDEwZTdmNzU0NzY2ZTNjOTA2NmYwYWM2", uri="/v4/register_subscriber", algorithm=SHA-256, response="ff7f495b6dd7c0b53119f3f92e6f3dbb7607d6a4d0441ec77359437e8b958ee2", opaque="a6feff632d495616728c8ef3532064ca457e3d0badcfa2db349a0433dcc4520f", qop=auth, nc=00000001, cnonce="d186e18e5c7172fa"
Accept: application/json
SE-Client-Version: Stable 45.0.2552.812
SE-Operating-System: Windows
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 OPR/45.0.2552.812
Accept-Encoding: gzip, deflate, br
To calculate correct response
the password is needed, according to RFC 7616:
3.4.2. A1
If the algorithm parameter's value is "<algorithm>", e.g., "SHA-256",
then A1 is:
A1 = unq(username) ":" unq(realm) ":" passwd
where
passwd = < user's password >
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.