sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).
- extracts TLS certificates from pcap files or network interfaces
- fingerprints TLS client/server interactions with ja3/ja3s
- fingerprints TLS interactions with TLSH fuzzy hashing
- write certificates in a folder
- export in JSON to files, or stdout
This project is currently in development and is subject to change, check the list of issues.
- git
- golang >= 1.5
- libpcap
#apt install golang git libpcap-dev
$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$
A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux
Read from pcap:
$ ./d4-tlsf-amd64l -r=file
Read from interface (promiscious mode):
$ ./d4-tlsf-amd64l -i=interface
Write x509 certificates to folder:
$ ./d4-tlsf-amd64l -w=folderName
Write output json inside folder
$ ./d4-tlsf-amd64l -j=folderName