sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

• extracts TLS certificates from pcap files or network interfaces
• fingerprints TLS client/server interactions with ja3/ja3s
• fingerprints TLS interactions with TLSH fuzzy hashing
• write certificates in a folder
• export in JSON to files, or stdout

Use

This project is currently in development and is subject to change, check the list of issues.

Compile from source

requirements

• git
• golang >= 1.5
• libpcap

#apt install golang git libpcap-dev

Go get

$go get github.com/D4-project/sensor-d4-tls-fingerprinting
$cd $GOPATH/github.com/D4-project/sensor-d4-tls-fingerprinting
$

A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file 

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface 

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName 

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName