Published on June 28th, 2016 | by MaxiSoler1
TLS Fingerprinting v1.0 – TLS Tools
TLS Fingerprinting are tools to enable the matching (either on the wire or via pcap), creation, and export of TLS Fingerprints to other formats.
- Of course there is plenty left to do, new features, new fingerprints. But we have no outstanding major bugs, so this seems like a good time.
In summary the tools are:
FingerprinTLS is designed to rapidly identify known TLS connections and to fingerprint unknown TLS connections. Input is taken either via live network sniffing or reading a PCAP file. Output for recognized connections is (currently) in human readable form and for unknown fingerprints in the JSON format used for the fingerprint definitions.
Fingerprints which are generated can be exported as a C struct by Fingerprintout and compiled back into FingerprinTLS to enable detecting in future instances.
Fingerprintout is a tool for managing the fingerprint definitions JSON file with regards to sanitization and export to other formats. At the time of writing the possible outputs are:
- struct: C struct format for people to include the fingerprint definitions in their own code.
- ids: output in suricata/snort output for detection on existing IPS/IDS infrastructure.
- idsinit: same as ids, but only for the first Client Hello packet per connection.
- cleanse: sanitizes JSON file, producing a new JSON file. This is intended for scrubbing data prior to publishing.
- xkeyscore: outputs in regex. Note, this is not as reliable as other forms because offsets are not as easily defined and so contains the liberal use of .* for “some” offset. DO NOT use this for serious purposes.
fingerprints.json: The fingerprint “database” itself.
Thanks to our friend Lee Brotherston, for sharing this tool with us.