Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s
 
 
Go to file
Jean-Louis Huynen 864fc59d02
removes indent, nano 3339 time for files...
2019-03-18 11:32:57 +01:00
d4tls Fixes broken unittest 2019-03-01 10:06:04 +01:00
etls Some tests on etls + minor changes on d4tls 2019-02-05 15:40:22 +01:00
media updates README 2019-02-20 10:33:38 +01:00
.gitignore initial PoC 2019-01-23 14:41:30 +01:00
LICENSE Initial commit 2019-01-23 13:57:01 +01:00
Makefile Adds Makefile, simpler concurrency 2019-01-29 16:06:23 +01:00
README.md updates README 2019-02-20 10:33:38 +01:00
d4-tlsf.go removes indent, nano 3339 time for files... 2019-03-18 11:32:57 +01:00

README.md

sensor-d4-tls-fingerprinting

Release Software License Go Report Card

sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

  • extracts TLS certificates from pcap files or network interfaces
  • fingerprints TLS client/server interactions with ja3/ja3s
  • fingerprints TLS interactions with TLSH fuzzy hashing
  • write certificates in a folder
  • export in JSON to files, or stdout

Use

This project is currently in development and is subject to change, check the list of issues.

Compile from source

requirements

  • git
  • golang >= 1.5
  • libpcap
#apt install golang git libpcap-dev

Go get

$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$

A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file 

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface 

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName 

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName