GET YOUR VULNERABILITY AND THREAT DATABASE SUBSCRIPTION
EKOLABS 2016


Tools

Published on June 28th, 2016 | by MaxiSoler

1

TLS Fingerprinting v1.0 – TLS Tools

TLS Fingerprinting are tools to enable the matching (either on the wire or via pcap), creation, and export of TLS Fingerprints to other formats.

Changelog v1.0

  • Of course there is plenty left to do, new features, new fingerprints. But we have no outstanding major bugs, so this seems like a good time.

In summary the tools are:

FingerprinTLS

FingerprinTLS is designed to rapidly identify known TLS connections and to fingerprint unknown TLS connections. Input is taken either via live network sniffing or reading a PCAP file. Output for recognized connections is (currently) in human readable form and for unknown fingerprints in the JSON format used for the fingerprint definitions.

Fingerprints which are generated can be exported as a C struct by Fingerprintout and compiled back into FingerprinTLS to enable detecting in future instances.

Fingerprintout

Fingerprintout is a tool for managing the fingerprint definitions JSON file with regards to sanitization and export to other formats. At the time of writing the possible outputs are:

  • struct: C struct format for people to include the fingerprint definitions in their own code.
  • ids: output in suricata/snort output for detection on existing IPS/IDS infrastructure.
  • idsinit: same as ids, but only for the first Client Hello packet per connection.
  • cleanse: sanitizes JSON file, producing a new JSON file. This is intended for scrubbing data prior to publishing.
  • xkeyscore: outputs in regex. Note, this is not as reliable as other forms because offsets are not as easily defined and so contains the liberal use of .* for “some” offset. DO NOT use this for serious purposes.

fingerprints.json: The fingerprint “database” itself.

More Information

Thanks to our friend Lee Brotherston, for sharing this tool with us.

Tags: , , , ,


About the Author

ToolsWatcher :)
@maxisoler



One Response to TLS Fingerprinting v1.0 – TLS Tools

  1. Pingback: TLS Fingerprinting v1.0 – TLS Tools – sec.uno

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑