TLS Fingerprinting Beta – TLS Tools

TLS Fingerprinting are tools to enable the matching (either on the wire or via pcap), creation, and export of TLS Fingerprints to other formats.

In summary the tools are:

FingerprinTLS

FingerprinTLS is designed to rapidly identify known TLS connections and to fingerprint unknown TLS connections. Input is taken either via live network sniffing or reading a PCAP file. Output for recognized connections is (currently) in human readable form and for unknown fingerprints in the JSON format used for the fingerprint definitions.

Fingerprints which are generated can be exported as a C struct by Fingerprintout and compiled back into FingerprinTLS to enable detecting in future instances.

Fingerprintout

Fingerprintout is a tool for managing the fingerprint definitions JSON file with regards to sanitization and export to other formats. At the time of writing the possible outputs are:

• struct: C struct format for people to include the fingerprint definitions in their own code.
• ids: output in suricata/snort output for detection on existing IPS/IDS infrastructure.
• idsinit: same as ids, but only for the first Client Hello packet per connection.
• cleanse: sanitizes JSON file, producing a new JSON file. This is intended for scrubbing data prior to publishing.
• xkeyscore: outputs in regex. Note, this is not as reliable as other forms because offsets are not as easily defined and so contains the liberal use of .* for “some” offset. DO NOT use this for serious purposes.

fingerprints.json: The fingerprint “database” itself.

More Information

• GitHub – TLS Fingerprinting
• TLS Fingerprinting Talk (DerbyCon)

[button size=large style=round color=red align=none url=https://github.com/LeeBrotherston/tls-fingerprinting]Download TLS Fingerprinting Beta[/button]

Thanks to our friend Lee Brotherston, for sharing this tool with us.