Skip to content

Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s

License

Notifications You must be signed in to change notification settings

D4-project/sensor-d4-tls-fingerprinting

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

sensor-d4-tls-fingerprinting

Release Software License Go Report Card

sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

  • extracts TLS certificates from pcap files or network interfaces
  • fingerprints TLS client/server interactions with ja3/ja3s
  • fingerprints TLS interactions with TLSH fuzzy hashing
  • write certificates in a folder
  • export in JSON to files, or stdout

Use

This project is currently in development and is subject to change, check the list of issues.

Compile from source

requirements

  • git
  • golang >= 1.5
  • libpcap
#apt install golang git libpcap-dev

Go get

$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$

A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file 

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface 

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName 

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName