Grasshopper is a UDP packet forwarder that listens for incoming packets and forwards them to a configured destination. It optionally supports encryption for both incoming and outgoing packets, using different keys and cryptographic methods.
Grasshopper functions as a chained relay system. For example, consider a chained DNS query:
ββββββββββββββ βββββββββββββββββ
β ENCRYPTED β β RE-ENCRYPTION β
ββββββββ¬ββββββ β AES ββββΊ 3DES β
β βββββ¬ββββββββββββ
β β
ββββββββββββΌ βββββββββββββββ βββββββββββ
<HOP0> HOPS(AES) β DECRYPTED ββΌ <HOP5> HOPS(FINAL)
βββββββββββ β ββββββ β DATA HOPS(3DES) β βββ΄βββ ββββββββββββββ
β dig xxx βββΊ CLEAR TEXT βHOP1βΌββ CIPHER βββΊ PACKET βββ΄βββ β DNS βHop6βββΊ 8.8.8.8:53 β
β @hop0 β β βHop2β (AES) β βHop4ββ CIPHER βββΊ QUERY βHop7β ββββββββββββββ
βββββββββββ β β² βHOP3β <HOP2> β² βHop5β (3DES) β βββ¬βββ
β β ββββββ β β βββ¬βββ β β
ββββΌβββββββ βββββββΌβββββββ βββββββββββ
β β
ββββΌβββββββββ β
β β β
β OPTIONAL ββββββββββββββββββββ
β PACKET β
β PROCESSOR β
β β
βββββββββββββ
To install the latest version of Grasshopper, use the following command:
go install github.com/xtaci/grasshopper/cmd/grasshopper@latest Grasshopper supports the following command-line parameters:
Grasshopper is a UDP packet forwarder that listens for incoming packets and forwards them to a configured destination. It optionally supports cryptography for both incoming and outgoing packets, using different keys and methods. Optionally, the listener can be configured to apply cryptogrraphy on both the incoming and outgoing packets, with different keys and methods.
Usage:
grasshopper [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
start Start a listener for UDP packet forwarding
Flags:
--ci string Cryptography method for incoming data. Available options: aes, aes-128, aes-192, qpp, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, sm4, none (default "qpp")
--co string Cryptography method for outgoing data. Available options: aes, aes-128, aes-192, qpp, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, sm4, none (default "qpp")
-c, --config string config file name
-h, --help help for grasshopper
--ki string Secret key to encrypt and decrypt for the last hop(client-side) (default "it's a secret")
--ko string Secret key to encrypt and decrypt for the next hops (default "it's a secret")
-l, --listen string Listener address, eg: "IP:1234" (default ":1234")
-n, --nexthops strings Servers to randomly forward to (default [127.0.0.1:3000])
--sockbuf int Socket buffer size for the listener (default 1048576)
--timeout duration Idle timeout duration for a UDP connection (default 1m0s)
-t, --toggle Help message for toggle
-v, --version version for grasshopper
Use "grasshopper [command] --help" for more information about a command.
- SM4 (ε½ε―)
- AES (Advanced Encryption Standard), 128, 192, 256-bit
- QPP (Quantum Permutation Pad)
- Salsa20 (https://en.wikipedia.org/wiki/Salsa20)
- Blowfish (https://en.wikipedia.org/wiki/Blowfish_(cipher))
- Twofish (https://en.wikipedia.org/wiki/Twofish)
- Cast5 (https://en.wikipedia.org/wiki/CAST-128)
- 3DES (https://en.wikipedia.org/wiki/Triple_DES)
- Tea (Tiny Encryption Algorithm)
- XTea (https://en.wikipedia.org/wiki/XTEA)
Use ncat to start a UDP echo server on port 5000:
ncat -e /bin/cat -k -u -l 5000Run the following command to start a relay:
./grasshopper start --ci aes --co none -l "127.0.0.1:4001" -n "127.0.0.1:5000"--ci aes: Applies encryption to incoming packets.--co none: Forwards plaintext to thencatecho server.
Run the following command to start another relay:
./grasshopper start --ci none --co aes -l "127.0.0.1:4000" -n "127.0.0.1:4001"--ci none: No encryption is applied to incoming packets.--co aes: Encrypts packets and forwards them to the next hop.
Use ncat to send UDP packets and interact with the relay chain:
ncat -u 127.0.0.1 2132βββββββββββββ YOURβLAPTOP βββββββββββββββ βββββββββββ CLOUDβSERVER ββββββββββββ
β β β β
β β β β
β βββββββββββββββββββββ ββββββββββββ β β ββββββββββββ βββββββββββββββββ β
β β β β β β β β β β β β
β β dig google.com βββββΊ Level-1 β β β β Level-2 βββββΊ Google DNS:53 β β
β β @127.0.0.1 -p 4000β β Relayer βΌβββΌ ENCRYPTED βΌββΊ Relayer β β CloudFlare:53 β β
β β β β β β UDP β β β β β β
β βββββββββββββββββββββ ββββββββββββ β β ββββββββββββ βββββββββββββββββ β
β β β β
β β β β
βββββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββ
./grasshopper start --ci aes --co none -l "CLOUD_PUBLIC_IP:4000" -n "8.8.8.8:53,1.1.1.1:53"--ci aes: Decrypts incoming packets from the Level-1 relay. (cistands for cipher-in)--co none: Forwards decrypted plaintext DNS query packets to the DNS server. (costands for cipher-out)
./grasshopper start --ci none --co aes -l "127.0.0.1:4000" -n "CLOUD_PUBLIC_IP:4000"--ci none: Since thedigcommand sends queries in plaintext, no decryption is needed for incoming packets.--co aes: Encrypts and forwards packets to the Level-2 relay.
dig google.com @127.0.0.1 -p 4000