Post Reply 
Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Mar. 22, 2022, 11:10 AM
Post: #16
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Um, I've watched that video loop a half a dozen times.

What am I supposed to be seeing?

I see zero Cloudfare captcha before or after which seems to me is what is "required" to demonstrate any "solution".
Add Thank You Quote this message in a reply
Mar. 22, 2022, 11:57 AM (This post was last modified: Mar. 22, 2022 11:58 AM by cattleyavns.)
Post: #17
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Mar. 22, 2022 11:10 AM)ProxRocks Wrote:  Um, I've watched that video loop a half a dozen times.

What am I supposed to be seeing?

I see zero Cloudfare captcha before or after which seems to me is what is "required" to demonstrate any "solution".

If you use a transparent proxy like Proxydomo, mitmproxy with SSL Filtering enabled, the website will show a captcha page, because CF side will fingerprint your Ciphersuite+TLS Extensions, then compare your JA3 string with a blacklist/whitelist and then they decide to block your request with a captcha or not (depends on many factors: IP history, JA3 string...)

I think, you may not see captcha page if your IP history is trustworthy, but not in my case haha (mine is dynamic IP, and because it's dynamic IP so people likely did many evil activities with my IP), maybe.This is what I get if I don't use my local proxy and use mitmproxy instead:

IMG LINK: https://i.imgur.com/lVfBhKI.png
Add Thank You Quote this message in a reply
Mar. 26, 2022, 04:20 AM
Post: #18
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Mar. 22, 2022 03:02 AM)cattleyavns Wrote:  Should I share the whole progress ?
I think you've given sufficient information already; on the other hand, browsers' ciphersuites and user-agent strings are not exactly secret either. There's a nice list of their ciphersuites here:
Code:
https://www.ssllabs.com/ssltest/clients.html
Removing the SCSV from OpenSSL requires a patch/recompile (it's hardcoded) so it is not easy to do, but on the other hand, looking through that list, it seems besides bots some older Android and Apple systems will send it. (They might also be using OpenSSL internally.)

The other thing I'm considering is allowing Proxomitron Reborn to use one of the varyingly-compatible forks of OpenSSL like BoringSSL, which is used in e.g. Chrome and doesn't send SCSV. Another alternative is the native Windows Schannel, but it's significantly different in API and would require quite a lot more work. Stock OpenSSL is indeed quite bot-like in its default fingerprint, no doubt because it's a widely used default SSL library for everything---except, unfortunately, most browsers.
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to amy for this post:
defconnect
Apr. 07, 2022, 11:55 AM
Post: #19
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Has there been any behind-the-scenes advancements regarding Proxomitron Reborn not playing nicely with Cloudfare captchas?
Add Thank You Quote this message in a reply
Apr. 10, 2022, 08:46 AM
Post: #20
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I don't think so, all secrets are very likely revealed, we just need to implement our anti-TLS Fingerprint algorithms/code.
Just we'll need to use non-OpenSSL code/recompile OpenSSL to achieve perfection. And BoringSSL is a very good candidate.
Add Thank You Quote this message in a reply
May. 26, 2022, 02:34 PM
Post: #21
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Kind of a bummer that this topic seems to have died.
Add Thank You Quote this message in a reply
Jun. 02, 2022, 01:40 PM
Post: #22
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I'm just very busy with other things, and I suspect others are too...
(Apr. 10, 2022 08:46 AM)cattleyavns Wrote:  And BoringSSL is a very good candidate.
Unfortunately not. I did a little more research and the very first thing its description says is "Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability." I am reminded of the difficulties caused by switching from the 0.9.x that Scott originally used and the 1.0.x that Proxomitron Reborn uses, and think patched OpenSSL will probably be the best choice for now. I haven't had time to figure out how to compile OpenSSL 1.1 yet (TLS 1.3 - might be part of future fingerprinting - is the most needed from that) but once more sites start doing this stuff I'll be forced to do it at some point.
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to amy for this post:
ProxRocks
Nov. 20, 2022, 02:51 PM (This post was last modified: Nov. 20, 2022 02:56 PM by cattleyavns.)
Post: #23
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Hi, I'm here again, just want to update the progress of TLS Fingerprint cracking, this curl-impersonate-win project managed to crack TLS Fingerprint (tested), download link: https://github.com/depler/curl-impersona...tag/7.84.0

To test, type:

Code:
curl_chrome104.bat https://alternativeto.net

Success, return 200 status.

Download "normal" curl ( https://curl.se/windows/ ), and test again:

Code:
curl https://alternativeto.net

WILL fail, return 403.

So yeah, I think people are starting to fight back this degeneration technology, and have made success.

For some high-level language like Python, or libraries with very limited customization like OpenSSL, it's still pretty hard to crack TLS Fingerprint because Python doesn't support changing TLS's ClientHello packet, sadly and it's very popular.
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to cattleyavns for this post:
ProxRocks
Sep. 26, 2024, 05:01 AM
Post: #24
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Almost 2 years later and there is some public(!) discussions about this in OpenSSL itself; making it look more like a browser is becoming important:
Code:
https://github.com/openssl/openssl/issues/19220

I have been working on my own towards the same goal with Proxomitron Reborn, so it's not clear who will get there first; but the number of sites I've been encountering that do this sort of client discrimination has risen sharply within the past few months, so this has motivated me quite a lot more! No doubt many others are also fighting back.
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to amy for this post:
ProxRocks
Post Reply 


Forum Jump: