search

rofl0r / proxychains-ng

proxychains ng (new generation) - a preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies. continuation of the unmaintained proxychains project. the sf.net page is currently not updated, use releases from github release page instead.
http://sourceforge.net/projects/proxychains-ng/files
GNU General Public License v2.0
9.82k stars 1.08k forks source link

proxychains-ng doesn't work with git protocol. #545

Closed hongyi-zhao closed 10 months ago

hongyi-zhao commented 10 months ago

I'm using the master version of proxychains-ng and tried to clone the lyx repo as follows but failed:

$ grep -Ev '^[ ]*(#|$)' proxychains-ng-socks5.conf 
strict_chain
proxy_dns_daemon 127.0.0.1:1053
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
 localnet 127.0.0.0/255.0.0.0
 localnet 10.0.0.0/255.0.0.0
 localnet 172.16.0.0/255.240.0.0
 localnet 192.168.0.0/255.255.0.0
[ProxyList]
socks5  127.0.0.1 18888

$ proxychains4 -q -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
Cloning into 'lyx'...
127.0.0.1:43927 requested ip for git.lyx.org (224.0.0.1)
127.0.0.1:54617 requested name for 224.0.0.1 (git.lyx.org)
127.0.0.1:54026 requested name for 224.0.0.1 (git.lyx.org)
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

On the other hand, I can do the clone via the same proxy as follows:

$ /bin/git -c http.proxy=socks5h://127.0.0.1:18888 -c core.sshCommand="ssh -oProxyCommand='nc -X 5 -x 127.0.0.1:18888 %h %p'" clone git://git.lyx.org/lyx.git
Cloning into 'lyx'...
^Cmote: Counting objects: 285814   

# Check the proxy is working in another console as follows:
$ sudo tcpdump -i lo port 18888 -w - |pv >/dev/null
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
4.84MiB 0:09:39 [0.00 B/s] [                                                            <=>                                  ]

# Furthermore, this proxy works with the HTTPS protocol:
$ proxychains4 -q -f proxychains-ng-socks5.conf /bin/git clone https://github.com/torvalds/linux.git
Cloning into 'linux'...
127.0.0.1:59531 requested ip for github.com (224.0.0.2)
127.0.0.1:45826 requested name for 224.0.0.2 (github.com)
127.0.0.1:55259 requested name for 224.0.0.2 (github.com)
remote: Enumerating objects: 9955539, done.
^Cceiving objects:   0% (45834/9955539), 16.88 MiB | 11.25 MiB/s

Any tips for fixing this issue?

Regards, Zhao

rofl0r commented 10 months ago

Any tips for fixing this issue?

first of all, if you want others to analyze your problems, you shouldn't mute the only helpful output, namely the output from proxychains-ng. so whether it works or not is not visible thanks to you using -q. if it really doesn't work, check for the usual suspects like static linked binaries. my git binary usually calls to the ssh binary to make git:// connections. so if either of them is static linked, it wont work.

hongyi-zhao commented 10 months ago

Thank you for your nice tips. See below for more details:

so whether it works or not is not visible thanks to you using -q.


$ pkill proxychains4-da
$ proxychains4-daemon &
[1] 10604

$ grep -Ev '^[ ]*(#|$)' proxychains-ng-socks5.conf strict_chain proxy_dns_daemon 127.0.0.1:1053 remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 localnet 127.0.0.0/255.0.0.0 localnet 10.0.0.0/255.0.0.0 localnet 172.16.0.0/255.240.0.0 localnet 192.168.0.0/255.255.0.0 [ProxyList] socks5 127.0.0.1 18888

Monitor it by the following command in another terminal:

$ sudo tcpdump -i lo port 18888 -w - |pv >/dev/null

Test as follows:

$ proxychains4 -f /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git [proxychains] config file found: /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-socks5.conf [proxychains] preloading /usr/local/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34 Cloning into 'lyx'... [proxychains] Strict chain ... 127.0.0.1:18888 ... git.lyx.org:9418 ... OK fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

$ grep -Ev '^[ ]*(#|$)' proxychains-ng-http.conf strict_chain proxy_dns_daemon 127.0.0.1:1053 remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 localnet 127.0.0.0/255.0.0.0 localnet 10.0.0.0/255.0.0.0 localnet 172.16.0.0/255.240.0.0 localnet 192.168.0.0/255.255.0.0 [ProxyList] http 127.0.0.1 8080

Monitor it by the following command in another terminal:

$ sudo tcpdump -i lo port 8080 -w - |pv >/dev/null

Test as follows:

$ proxychains4 -f /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-http.conf /bin/git clone git://git.lyx.org/lyx.git [proxychains] config file found: /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-http.conf [proxychains] preloading /usr/local/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34 Cloning into 'lyx'... [proxychains] Strict chain ... 127.0.0.1:8080 ... git.lyx.org:9418 ... OK fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.


>if it really doesn't work, check for the usual suspects like static linked binaries.

```shell
$ ldd /bin/git
    linux-vdso.so.1 (0x00007ffdb69fb000)
    libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x000015243d3dc000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x000015243d3c0000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x000015243cc00000)
    /lib64/ld-linux-x86-64.so.2 (0x000015243d498000)
$ which proxychains4 |xargs ldd
    linux-vdso.so.1 (0x00007fffad1c4000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00001522a0a00000)
    /lib64/ld-linux-x86-64.so.2 (0x00001522a0dd2000)

my git binary usually calls to the ssh binary to make git:// connections.

How do you know about this calling mechanism?

See here for the related discussion.

rofl0r commented 10 months ago 
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

we can see from the output that proxychains works, in that the process is hooked and the connection hijacked and sent over your proxy. why it then fails with the "could not read" message is another topic, maybe the git server on the other side isnt properly set up, has connection issues, or the china GFW interrupts the connection somehow. could also be that the local proxy you use doesnt work as expected.

i know about that git calls to ssh because i tried to use alternative ssh clients (dropbear), and then suddenly git didnt work anymore, so i straced git to see what happens.

hongyi-zhao commented 10 months ago

why it then fails with the "could not read" message is another topic, maybe the git server on the other side isnt properly set up, has connection issues, or the china GFW interrupts the connection somehow. could also be that the local proxy you use doesnt work as expected.

  1. The local proxy itself works, as shown below:
werner@X10DAi:~$ proxychains4 -f /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-socks5.conf /bin/git clone https://github.com/torvalds/linux.git
[proxychains] config file found: /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'linux'...
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  github.com:443  ...  OK
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
remote: Enumerating objects: 9955539, done.
^Cceiving objects:   2% (199111/9955539), 95.81 MiB | 16.05 MiB/s
  1. The lyx git server on the other side also works if I connect to it directly, though the speed is not fast:
werner@X10DAi:~$ /bin/git clone git://git.lyx.org/lyx.git
Cloning into 'lyx'...
remote: Counting objects: 503349, done.
remote: Compressing objects: 100% (91927/91927), done.
^Cceiving objects:  12% (64366/503349), 40.44 MiB | 606.00 KiB/s
  1. But, as shown before, when called through proxychains4, it will not be able to use my proxy:
$ proxychains4 -f /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: /home/werner/Public/repo/github.com/rofl0r/proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

i know about that git calls to ssh because i tried to use alternative ssh clients (dropbear), and then suddenly git didnt work anymore, so i straced git to see what happens.

I also tried the following, but I didn't find anything related to ssh:

werner@X10DAi:~$ strace /bin/git clone git://git.lyx.org/lyx.git |& grep ssh
werner@X10DAi:~$
rofl0r commented 10 months ago

you need strace -f and then grep for exec to see the chain of processes started. if it's just due to your git server being too slow, raise the timeouts in proxychains.conf. maybe 60 seconds instead of 8.

hongyi-zhao commented 10 months ago

you need strace -f and then grep for exec to see the chain of processes started.

werner@X10DAi:~$ strace -f /bin/git clone git://git.lyx.org/lyx.git |& grep exec
execve("/bin/git", ["/bin/git", "clone", "git://git.lyx.org/lyx.git"], 0x7ffe3732e528 /* 102 vars */) = 0
[pid 13081] execve("/usr/lib/git-core/git", ["/usr/lib/git-core/git", "index-pack", "--stdin", "--fix-thin", "--keep=fetch-pack 13076 on X10DA"..., "--check-self-contained-and-conne"...], 0x5625b4ab7760 /* 104 vars */ <unfinished ...>
[pid 13081] <... execve resumed>)       = 0

if it's just due to your git server being too slow, raise the timeouts in proxychains.conf. maybe 60 seconds instead of 8.

I tried the following method and found that it only worked once:

$ grep -Ev '^[ ]*(#|$)' proxychains-ng-socks5.conf
strict_chain
proxy_dns_daemon 127.0.0.1:1053
remote_dns_subnet 224
tcp_read_time_out 120000
tcp_connect_time_out 60000
 localnet 127.0.0.0/255.0.0.0
 localnet 10.0.0.0/255.0.0.0
 localnet 172.16.0.0/255.240.0.0
 localnet 192.168.0.0/255.255.0.0
[ProxyList]
socks5  127.0.0.1 18888

werner@X10DAi:~/Public/repo/github.com/rofl0r$ proxychains4 -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
remote: Counting objects: 503349, done.
remote: Compressing objects: 100% (91927/91927), done.
^Cceiving objects:  12% (61605/503349), 30.01 MiB | 1.15 MiB/s  
werner@X10DAi:~/Public/repo/github.com/rofl0r$ proxychains4 -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
werner@X10DAi:~/Public/repo/github.com/rofl0r$ proxychains4 -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
werner@X10DAi:~/Public/repo/github.com/rofl0r$ proxychains4 -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
werner@X10DAi:~/Public/repo/github.com/rofl0r$ proxychains4 -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
werner@X10DAi:~/Public/repo/github.com/rofl0r$ proxychains4 -f proxychains-ng-socks5.conf /bin/git clone git://git.lyx.org/lyx.git
[proxychains] config file found: proxychains-ng-socks5.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.16-git-18-g1d0bc34
Cloning into 'lyx'...
[proxychains] Strict chain  ...  127.0.0.1:18888  ...  git.lyx.org:9418  ...  OK
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

When it works, I can confirm that the local proxy has been used:

image

rofl0r commented 10 months ago

well, if it worked once, it means that it works in general. you're of course free to keep on debugging where the issue lies, but i highly doubt it's due to some sort of heisenbug in proxychains code, since i (and thousands of other people) use it daily without issues.

hongyi-zhao commented 10 months ago

So, the reason is as follows which is commented here in the related discussion: image