fingerprintAllTheThings: extracting network metadata and fingerprints from pcap files and live network traffic

by do son · May 29, 2019

fingerprint all the things!

A script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files (pcap) or live network traffic. The main use-case is for monitoring honeypots, but you can also use it for other use cases such as network forensic analysis. fatt works on Linux, macOS, and Windows.

Note that fatt uses pyshark (a python wrapper for tshark) and therefore the performance is not great! But that’s not a big issue as obviously, this is not a tool you use in production. You can use other network analysis tools such as Bro/Zeek, Suricata or Netcap for more serious use cases. Joy is another great tool you can use for capturing and analyzing network flow data.

Features

Protocol support: SSL/TLS, SSH, RDP, HTTP, gQUIC.
- To be added soon: IETF QUIC, MySQL, MSSQL, etc.
Fingerprinting
- JA3: TLS client/server fingerprint
- HASSH: SSH client/server fingerprint
- RDFP: my experimental RDP fingerprint for standard RDP security protocol (note that other RDP security modes use TLS and can be fingerprinted with JA3)
- HTTP header fingerprint
- gQUIC/iQUIC fingerprint will be added soon
JSON output

Install

Install tshark
git clone https://github.com/0x4D31/fatt.git
cd fatt/
pip3 install pipenv
pipenv install

Use

usage: fatt.py [-h] [-r READ_FILE] [-d READ_DIRECTORY] [-i INTERFACE]

               [-fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]]

               [-da DECODE_AS] [-f BPF_FILTER] [-j] [-o OUTPUT_FILE]

               [-w WRITE_PCAP] [-p]



A python script for extracting network fingerprints



optional arguments:

  -h, --help            show this help message and exit

  -r READ_FILE, --read_file READ_FILE

                        pcap file to process

  -d READ_DIRECTORY, --read_directory READ_DIRECTORY

                        directory of pcap files to process

  -i INTERFACE, --interface INTERFACE

                        listen on interface

  -fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]], --fingerprint [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]

                        protocols to fingerprint. Default: all

  -da DECODE_AS, --decode_as DECODE_AS

                        a dictionary of {decode_criterion_string:

                        decode_as_protocol} that is used to tell tshark to

                        decode protocols in situations it wouldn't usually.

  -f BPF_FILTER, --bpf_filter BPF_FILTER

                        BPF capture filter to use (for live capture only).'

  -j, --json_logging    log the output in json format

  -o OUTPUT_FILE, --output_file OUTPUT_FILE

                        specify the output log file. Default: fatt.log

  -w WRITE_PCAP, --write_pcap WRITE_PCAP

                        save the live captured packets to this file

  -p, --print_output    print the output