Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLv2 in Python Script #29

Open
0xdf-0xdf opened this issue Dec 19, 2018 · 5 comments
Open

SSLv2 in Python Script #29

0xdf-0xdf opened this issue Dec 19, 2018 · 5 comments

Comments

@0xdf-0xdf
Copy link

When a piece of malware issues a SSLv2 client hello, ja3.py misses it. Can ja3 apply to SSLv2 hellos? I know there are no extensions, but that could just be blank.
@p-l-
Copy link

p-l- commented Dec 25, 2018

@dcheel would you have, by any chance, a sample of the client hello you would like to log as a PCAP file that you could share?

@jalthouse-sfdc
Copy link
Contributor

@dcheel Yes, if you have a pcap, it would be much easier to test and resolve.

@0xdf-0xdf
Copy link
Author

Sorry, for some reason these were going to spam for me. So I can't share the sampled I have at work unfortunately, but something like https://www.cloudshark.org/captures/7796ea1bb3f3, or https://www.cloudshark.org/captures/d94462c4f238 seem like examples of sslv2 client hellos that return no data from ja3:

$ ja3 ~/Downloads/probe.pcap 
[]
$ ja3 ~/Downloads/tvc_startonline_findopponent_pid373467007_ip_ae3f754b.pcap 
[]

@p-l-
Copy link

p-l- commented Jan 17, 2019
edited
Loading

For probe.pcap (https://www.cloudshark.org/captures/7796ea1bb3f3), which is the shortest, I got in ssl.log:

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       version cipher  curve   server_name     resumed last_alert      next_protocol  established     cert_chain_fuids        client_cert_chain_fuids subject issuer  client_subject  client_issuer   validation_status       ivreja3c      ivreja3s
#types  time    string  addr    port    addr    port    string  string  string  string  bool    string  string  bool    vector[string]  vector[string]  stringstring   string  string  string  string  string
1468756951.170231       Cir6d52ztQSFX2hVSg      150.255.241.154 30283   172.246.47.121  443     TLSv10  TLS_RSA_WITH_AES_128_CBC_SHA    -       -       F     --       T       FMTr7TG8nFG58ngR5       (empty) C=US,OU=krrr-work,O=krrr-work,CN=krrr-work      C=US,OU=krrr-work,O=krrr-work,CN=krrr-work      -       -     self signed certificate  2,57-56-53-22-19-10-458944-51-50-47-196736-5-4-65664-21-18-9-393280-20-17-8-6-262272-3-131200,,,        769,47,
#close  2019-01-17-18-11-56

So I have both a client and server JA3 fingerprint.

NB: I use IVRE's version of the JA3 script, but the original should work just as well. This only explains the fact that I have ivreja3{c,s} field names and that I get the raw signatures (with IVRE the MD5 are not computed by Bro, so that we can use the raw value or the MD5 hash).

Both signature start with 2, which is OK for SSLv2 I guess.

Bro version 2.6.1 has been used here BTW.

Update I missed the "in Python Script", I am not even able to read an issue title. So this comment is probably not helpful, but in case it helps anyway: that should work with Bro.

@Macr0phag3 Macr0phag3 mentioned this issue Jan 10, 2020
Open
@Macr0phag3
Copy link

@0xdf-0xdf

i met the same problem, so i use scapy to make a new tool:

https://github.com/Macr0phag3/ja3box

it seems to work well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@p-l- @0xdf-0xdf @Macr0phag3 @jalthouse-sfdc