[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-3454":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},3454,"sni-spoof","selfishblackberry177\u002Fsni-spoof","selfishblackberry177","Go port of @patterniha's SNI spoofing \u002F DPI bypass TCP forwarder (Linux)",null,"Go",207,28,1,4,0,3,97,52.59,false,"main",true,[],"2026-06-12 04:00:17","# sni-spoof\n\nGo port of [@patterniha](https:\u002F\u002Fgithub.com\u002Fpatterniha)'s SNI-Spoofing \u002F DPI-bypass TCP forwarder — **his idea, all credit to him**. This is just a faithful reimplementation of the original Windows (WinDivert + Python) tool.\n\n**Linux and macOS.** Linux uses `AF_PACKET` raw sockets (`CAP_NET_RAW` \u002F root). macOS uses BPF via `\u002Fdev\u002Fbpf*` (needs root, or r\u002Fw access to a bpf device).\n\n## How it works\n\nA local TCP forwarder that tricks stateful DPI into whitelisting the flow before the real TLS ClientHello is sent:\n\n1. Accept a client, dial the upstream, let the kernel do the TCP 3-way handshake normally.\n2. An `AF_PACKET` sniffer watches the handshake. It records the outbound SYN's ISN, and the instant it sees the outbound 3rd-handshake ACK it injects a crafted TLS ClientHello frame carrying an innocuous `FAKE_SNI` (e.g. `security.vercel.com`).\n3. The fake packet uses `seq = ISN + 1 - len(fake)` — i.e. a sequence number *before* the server's receive window. **DPI parses it and whitelists the connection; the server drops it as out-of-window.**\n4. The sniffer waits for the server's reply ACK with `ack == ISN + 1`, which proves the server ignored the fake and is still expecting the real byte stream. Only then does the forwarder start relaying real client↔server data. The real ClientHello is now invisible to DPI.\n5. If that confirmation doesn't arrive within 2s, the connection is aborted.\n\n## Build \u002F run\n\n```\ngo build -o sni-spoof .\nsudo .\u002Fsni-spoof config.json\n```\n\nWorks on Linux and macOS (amd64 \u002F arm64). On macOS you may need to allow the binary to open `\u002Fdev\u002Fbpf*` — running under `sudo` is the simplest option.\n\n`config.json`:\n```json\n{\n  \"LISTEN_HOST\": \"0.0.0.0\",\n  \"LISTEN_PORT\": 40443,\n  \"CONNECT_IP\": \"104.18.4.130\",\n  \"CONNECT_PORT\": 443,\n  \"FAKE_SNI\": \"security.vercel.com\"\n}\n```\n\nPoint your client (xray, etc.) at `LISTEN_HOST:LISTEN_PORT` instead of the real upstream.\n","sni-spoof 是一个用于SNI欺骗和DPI绕过的TCP转发工具，最初由@patterniha设计并用Go语言重写以支持Linux和macOS平台。该项目通过在三次握手后注入伪造的TLS ClientHello消息来欺骗深度包检测系统，从而实现对真实流量的隐藏。其核心功能包括利用`AF_PACKET`原始套接字或BPF机制监听TCP连接，并在合适时机注入带有虚假SNI字段的数据包，确保服务器忽略此数据包而继续等待客户端发送实际内容。该工具适用于需要规避网络审查或希望保护敏感通信不被监控的应用场景中，如使用xray等代理软件时。",2,"2026-06-11 02:54:34","CREATED_QUERY"]