2019-12-28 13:43:39 +00:00
# ssldump - (de-facto repository gathering patches around the cyberspace)
2016-11-20 10:26:24 +00:00
2023-02-04 00:59:33 +00:00
[![Build CI ](https://github.com/adulau/ssldump/actions/workflows/build.yml/badge.svg )](https://github.com/adulau/ssldump/actions/workflows/build.yml)
2023-02-04 23:50:29 +00:00
[![CodeQL analysis ](https://github.com/adulau/ssldump/actions/workflows/codeql-analysis.yml/badge.svg )](https://github.com/adulau/ssldump/actions/workflows/codeql-analysis.yml)
2020-10-03 08:32:19 +00:00
# Release and tagging
2020-04-23 08:59:31 +00:00
2023-02-03 07:35:28 +00:00
- Current version of ssldump is [v1.6 ](https://github.com/adulau/ssldump/releases/tag/v1.6 ) (released: 2023-02-03)
- Previous version of ssldump is [v1.5 ](https://github.com/adulau/ssldump/releases/tag/v1.5 ) (released: 2022-05-26) - [ChangeLog ](https://raw.githubusercontent.com/adulau/ssldump/master/ChangeLog )
2020-09-22 14:04:20 +00:00
# What about the original ssldump?
2016-11-20 10:26:24 +00:00
2019-12-28 13:43:39 +00:00
This repository is composed of the original SSLDUMP 0.9b3 + a myriad of patches (from Debian and other distributions) + contributions via PR
2016-11-20 10:26:24 +00:00
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP
connections on the chosen network interface and attempts to interpret
them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it
decodes the records and displays them in a textual form to stdout. If
provided with the appropriate keying material, it will also decrypt
2021-02-02 14:22:48 +00:00
the connections and display the application data traffic. It also
2021-04-12 08:11:37 +00:00
includes a JSON output option, supports [JA3 ](https://github.com/salesforce/ja3 ) and IPv6.
2016-11-20 10:26:24 +00:00
2021-04-12 08:11:37 +00:00
# How to do I run ssldump?
`./ssldump -j -ANH -n -i any | jq` will run ssldump on all interfaces and output the result in JSON format including ja3 hashes.
For more details, check the man page.
2016-11-20 10:26:24 +00:00
2022-03-06 10:22:21 +00:00
## How can I lookup ja3 hashes?
This example will query ja3er.com service to display the known ja3 hashes from the TLS handshaked in the pcap.
`ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET 'https://ja3er.com/search/{}' | jq .'`
2016-11-20 10:26:24 +00:00
# Why do you maintain this repository?
Because it's a mess. The software maintenance process for old free (unmaintained) software
like ssldump is a complete chaotic process. I do this to ease my pain and this could help
other too (but this is just a collateral damage).
2021-04-12 08:17:56 +00:00
# Where ssldump is used?
2016-11-20 10:26:24 +00:00
2021-04-12 08:17:56 +00:00
- I used it for a relatively small project called Passive SSL. For more information, [Passive SSL Passive Detection and Reconnaissance Techniques, to Find, Track, and Attribute Vulnerable ”Devices” ](https://www.first.org/resources/papers/conf2015/first_2015_-_leverett_-_dulaunoy_-_passive_detection_20150604.pdf ). Additional back-end code available is in the [crl-monitor ](https://github.com/adulau/crl-monitor/tree/master/bin/x509 ) repository.
- ssldump is used in the [D4-Project ](https://github.com/D4-project/ ).
2016-11-20 10:26:24 +00:00
2020-08-27 14:20:38 +00:00
# Build instructions
2020-08-28 08:44:31 +00:00
On Debian & Ubuntu:
2020-08-27 14:24:51 +00:00
```
2021-01-06 16:52:45 +00:00
apt install build-essential autoconf libssl-dev libpcap-dev libnet1-dev libjson-c-dev
2020-08-27 14:20:38 +00:00
./autogen.sh
./configure --prefix=/usr/local
make
2020-08-28 08:44:31 +00:00
(optional) make install
```
On Fedora, Centos & RHEL:
```
2021-01-06 16:52:45 +00:00
dnf install autoconf automake gcc make openssl-devel libpcap-devel libnet-devel json-c-devel
2020-08-28 08:44:31 +00:00
./autogen.sh
./configure --prefix=/usr/local
make
(optional) make install
2020-08-27 14:24:51 +00:00
```
2020-08-27 14:20:38 +00:00
2020-08-30 19:11:52 +00:00
Optional configuration features (aka ./configure options):
```
--disable-optimization disable compiler optimizations (change from -O2 to -O0)
--enable-debug enable debug info (add "-g -DDEBUG" to CFLAGS)
--enable-asan enable AddressSanitizer and other checks
2020-08-31 05:56:05 +00:00
add "-fsanitize=address,undefined,leak -Wformat -Werror=format-security
-Werror=array-bounds" to CFLAGS
2020-08-30 19:11:52 +00:00
use libasan with GCC and embedded ASAN with Clang
```
2020-08-30 19:19:28 +00:00
Configuration examples:
```
- Use GCC with libasan, debug info and custom CFLAGS:
./configure CC=/usr/bin/gcc --enable-asan --enable-debug CFLAGS="-Wall"
- Use Clang with ASAN and no optimizations (-O0)
./configure CC=/usr/bin/clang --enable-asan --disable-optimization
```
2020-10-07 09:24:51 +00:00
# Notes
The "save to pcap" (-w) option by @ryabkov , is heavily based on the work of
@droe on https://github.com/droe/sslsplit .
# Contributing
2016-11-20 10:26:24 +00:00
The contributing policy is simple. If you have a patch to propose, make a pull-request
via the interface. If the patch works for me, it's merged.