search

salesforce / ja3

JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
BSD 3-Clause "New" or "Revised" License
2.61k stars 289 forks source link

The update of the python library dpkt caused changes in Ciphers fingerprint results. #66

Closed ghost closed 3 years ago

ghost commented 3 years ago

Updating dpkt to 1.9.5 will cause the password to be changed from a number to the corresponding string, and the fingerprint result will be changed. When GARSE appears, the script dpkt will report an error. When dpkt is 1.9.4,look like this:

[root@localhost python]# python3 ja3.py /home/pcap/ja3_test.pcap  
[ip:port] JA3: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0 --> b32309a26951912be7dba376398abc3b
[root@localhost python]# python3 ja3s.py /home/pcap/ja3_test.pcap 
[ip:port] JA3S: 771,49199,35-16 --> 4504e8d0495298feb931ec7e09f94bcc

When dpkt is 1.9.5,look like this:

[root@localhost python]# python3 ja3.py /home/pcap/ja3_test.pcap 
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 302, in unpack
    ssl_ciphersuites.BY_CODE[code] for code in struct.unpack('!' + num_ciphersuites * 'H', ciphersuites)]
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 302, in <listcomp>
    ssl_ciphersuites.BY_CODE[code] for code in struct.unpack('!' + num_ciphersuites * 'H', ciphersuites)]
KeyError: 27242

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "ja3.py", line 284, in <module>
    main()
  File "ja3.py", line 264, in main
    output = process_pcap(capture, any_port=args.any_port)
  File "ja3.py", line 203, in process_pcap
    handshake = dpkt.ssl.TLSHandshake(record.data)
  File "/usr/local/lib/python3.6/site-packages/dpkt/dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 421, in unpack
    self.data = embedded_type[1](self.data)
  File "/usr/local/lib/python3.6/site-packages/dpkt/dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 304, in unpack
    raise SSL3Exception('Unknown or invalid cipher suite type %x' % int(e.args[0]))
dpkt.ssl.SSL3Exception: Unknown or invalid cipher suite type 6a6a

[root@localhost python]# python3 ja3s.py /home/pcap/ja3s_test.pcap 
[ip:port]  JA3S: 771,CipherSuite(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),35-16 --> 8ce7e2735b56d547ea7168506ac74566
ghost commented 3 years ago

I found that the python library specifies version 1.9.1.