Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s

Go to file

Jean-Louis Huynen 006e37eafb chg [modules] going modular		2020-01-08 15:53:27 +01:00
d4tls	Merge branch 'greasebug'	2019-06-12 15:09:35 +02:00
etls	Some tests on etls + minor changes on d4tls	2019-02-05 15:40:22 +01:00
media	updates README	2019-02-20 10:33:38 +01:00
.gitignore	initial PoC	2019-01-23 14:41:30 +01:00
LICENSE	Initial commit	2019-01-23 13:57:01 +01:00
Makefile	Adds Makefile, simpler concurrency	2019-01-29 16:06:23 +01:00
README.md	updates README	2019-02-20 10:33:38 +01:00
d4-tlsf.go	removes indent, nano 3339 time for files...	2019-03-18 11:32:57 +01:00
go.mod	chg [modules] going modular	2020-01-08 15:53:27 +01:00
go.sum	chg [modules] going modular	2020-01-08 15:53:27 +01:00

README.md

sensor-d4-tls-fingerprinting

sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

extracts TLS certificates from pcap files or network interfaces
fingerprints TLS client/server interactions with ja3/ja3s
fingerprints TLS interactions with TLSH fuzzy hashing
write certificates in a folder
export in JSON to files, or stdout

Use

This project is currently in development and is subject to change, check the list of issues.

Compile from source

requirements

git
golang >= 1.5
libpcap

#apt install golang git libpcap-dev

Go get

$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$

A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName