Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jean-Louis Huynen 006e37eafb
chg [modules] going modular
6 months ago
d4tls Merge branch 'greasebug' 1 year ago
etls Some tests on etls + minor changes on d4tls 1 year ago
media updates README 1 year ago
.gitignore initial PoC 1 year ago
LICENSE Initial commit 1 year ago
Makefile Adds Makefile, simpler concurrency 1 year ago
README.md updates README 1 year ago
d4-tlsf.go removes indent, nano 3339 time for files... 1 year ago
go.mod chg [modules] going modular 6 months ago
go.sum chg [modules] going modular 6 months ago

README.md

sensor-d4-tls-fingerprinting

Release Software License Go Report Card

sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

  • extracts TLS certificates from pcap files or network interfaces
  • fingerprints TLS client/server interactions with ja3/ja3s
  • fingerprints TLS interactions with TLSH fuzzy hashing
  • write certificates in a folder
  • export in JSON to files, or stdout

Use

This project is currently in development and is subject to change, check the list of issues.

Compile from source

requirements

  • git
  • golang >= 1.5
  • libpcap
#apt install golang git libpcap-dev

Go get

$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$

A “sensor-d4-tls-fingerprinting” compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file 

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface 

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName 

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName