Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
|
Mar. 22, 2022, 11:10 AM
Post: #16
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Um, I've watched that video loop a half a dozen times.
What am I supposed to be seeing? I see zero Cloudfare captcha before or after which seems to me is what is "required" to demonstrate any "solution". |
|||
Mar. 22, 2022, 11:57 AM
(This post was last modified: Mar. 22, 2022 11:58 AM by cattleyavns.)
Post: #17
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Mar. 22, 2022 11:10 AM)ProxRocks Wrote: Um, I've watched that video loop a half a dozen times. If you use a transparent proxy like Proxydomo, mitmproxy with SSL Filtering enabled, the website will show a captcha page, because CF side will fingerprint your Ciphersuite+TLS Extensions, then compare your JA3 string with a blacklist/whitelist and then they decide to block your request with a captcha or not (depends on many factors: IP history, JA3 string...) I think, you may not see captcha page if your IP history is trustworthy, but not in my case haha (mine is dynamic IP, and because it's dynamic IP so people likely did many evil activities with my IP), maybe.This is what I get if I don't use my local proxy and use mitmproxy instead: IMG LINK: https://i.imgur.com/lVfBhKI.png |
|||
Mar. 26, 2022, 04:20 AM
Post: #18
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Mar. 22, 2022 03:02 AM)cattleyavns Wrote: Should I share the whole progress ?I think you've given sufficient information already; on the other hand, browsers' ciphersuites and user-agent strings are not exactly secret either. There's a nice list of their ciphersuites here: Code: https://www.ssllabs.com/ssltest/clients.html The other thing I'm considering is allowing Proxomitron Reborn to use one of the varyingly-compatible forks of OpenSSL like BoringSSL, which is used in e.g. Chrome and doesn't send SCSV. Another alternative is the native Windows Schannel, but it's significantly different in API and would require quite a lot more work. Stock OpenSSL is indeed quite bot-like in its default fingerprint, no doubt because it's a widely used default SSL library for everything---except, unfortunately, most browsers. |
|||
The following 1 user says Thank You to amy for this post: defconnect |
Apr. 07, 2022, 11:55 AM
Post: #19
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Has there been any behind-the-scenes advancements regarding Proxomitron Reborn not playing nicely with Cloudfare captchas?
|
|||
Apr. 10, 2022, 08:46 AM
Post: #20
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I don't think so, all secrets are very likely revealed, we just need to implement our anti-TLS Fingerprint algorithms/code.
Just we'll need to use non-OpenSSL code/recompile OpenSSL to achieve perfection. And BoringSSL is a very good candidate. |
|||
May. 26, 2022, 02:34 PM
Post: #21
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Kind of a bummer that this topic seems to have died.
|
|||
Jun. 02, 2022, 01:40 PM
Post: #22
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I'm just very busy with other things, and I suspect others are too...
(Apr. 10, 2022 08:46 AM)cattleyavns Wrote: And BoringSSL is a very good candidate.Unfortunately not. I did a little more research and the very first thing its description says is "Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability." I am reminded of the difficulties caused by switching from the 0.9.x that Scott originally used and the 1.0.x that Proxomitron Reborn uses, and think patched OpenSSL will probably be the best choice for now. I haven't had time to figure out how to compile OpenSSL 1.1 yet (TLS 1.3 - might be part of future fingerprinting - is the most needed from that) but once more sites start doing this stuff I'll be forced to do it at some point. |
|||
The following 1 user says Thank You to amy for this post: ProxRocks |
Nov. 20, 2022, 02:51 PM
(This post was last modified: Nov. 20, 2022 02:56 PM by cattleyavns.)
Post: #23
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Hi, I'm here again, just want to update the progress of TLS Fingerprint cracking, this curl-impersonate-win project managed to crack TLS Fingerprint (tested), download link: https://github.com/depler/curl-impersona...tag/7.84.0
To test, type: Code: curl_chrome104.bat https://alternativeto.net Success, return 200 status. Download "normal" curl ( https://curl.se/windows/ ), and test again: Code: curl https://alternativeto.net WILL fail, return 403. So yeah, I think people are starting to fight back this degeneration technology, and have made success. For some high-level language like Python, or libraries with very limited customization like OpenSSL, it's still pretty hard to crack TLS Fingerprint because Python doesn't support changing TLS's ClientHello packet, sadly and it's very popular. |
|||
The following 1 user says Thank You to cattleyavns for this post: ProxRocks |
« Next Oldest | Next Newest »
|