-
Notifications
You must be signed in to change notification settings - Fork 4
Сигнатурный анализ: TLS
Signature format:
SSLVersion,Cipher,SSLExtension,EllipticCurve,EllipticCurvePointFormat
Fingerprint sample: 769,49172-49171-53-47-49162-49161-56-50-10-19-5-4,0-5-10-11-65281,23-24-25,0
We use tshark output field tls_handshake_tls_handshake_type
to detect client hello message (equals to 1)
SSLVersion:tls_handshake_tls_handshake_version
(0x301 for TLS1.2)
Cipher:tls_handshake_ciphersuites_tls_handshake_ciphersuite
SSLExtension:text_tls_handshake_extension_type
EllipticCurve:tls_handshake_extensions_supported_groups_tls_handshake_extensions_supported_group
EllipticCurvePointFormat:tls_handshake_extensions_ec_point_formats_tls_handshake_extensions_ec_point_format
Let's calculate sample TLS client hello JA3 MD5-hash from our pcap:
771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10,5-10-11-35-13-65281-18,29-23-24-25,0
Resulting MD5 hash is 1f24dbdea9cbd448a034e5d87c14168f
Search this on ja3er.com
:
Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 (count: 1, last seen: 2019-09-29 01:08:29)