Skip to content
Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
d4tls Fixes broken unittest Mar 1, 2019
etls Some tests on etls + minor changes on d4tls Feb 5, 2019
media updates README Feb 20, 2019
.gitignore initial PoC Jan 23, 2019
LICENSE Initial commit Jan 23, 2019
Makefile Adds Makefile, simpler concurrency Jan 29, 2019
README.md updates README Feb 20, 2019
d4-tlsf.go removes indent, nano 3339 time for files... Mar 18, 2019

README.md

sensor-d4-tls-fingerprinting

Release Software License Go Report Card

sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

  • extracts TLS certificates from pcap files or network interfaces
  • fingerprints TLS client/server interactions with ja3/ja3s
  • fingerprints TLS interactions with TLSH fuzzy hashing
  • write certificates in a folder
  • export in JSON to files, or stdout

Use

This project is currently in development and is subject to change, check the list of issues.

Compile from source

requirements

  • git
  • golang >= 1.5
  • libpcap
#apt install golang git libpcap-dev

Go get

$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$

A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file 

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface 

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName 

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName 
You can’t perform that action at this time.