e5f2916b65
The fdatasync call generates a "implicit declaration of function 'fdatasync' is invalid in C99" warning when building for macOS (it's nowhere to be found in the system includes), but linking will eventually work fine because there is an unrelated syscall by the same name (different prototype), so it's not doing what it should. So lets not use it. |
||
|---|---|---|
| .github | ||
| base | ||
| cmake/modules | ||
| common | ||
| docker | ||
| null | ||
| pcap | ||
| samples | ||
| ssl | ||
| win32 | ||
| .clang-format | ||
| .gitchangelog.rc | ||
| .gitignore | ||
| _config.yml | ||
| AUTHORS | ||
| build.sh | ||
| ChangeLog | ||
| CMakeLists.txt | ||
| COPYING | ||
| COPYRIGHT | ||
| CREDITS | ||
| INSTALL | ||
| INSTALL.W32 | ||
| NEWS | ||
| README | ||
| README.md | ||
| README.old | ||
| ssldump.1 | ||
| ssldump.md | ||
ssldump - (de-facto repository gathering patches around the cyberspace)
Release and tagging
What about the original ssldump?
This repository is composed of the original SSLDUMP 0.9b3 + a myriad of patches (from Debian and other distributions) + contributions via PR
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6.
How to do I run ssldump?
./ssldump -j -ANH -n -i any | jq will run ssldump on all interfaces and output the result in JSON format including ja3 hashes.
For more details, check the man page.
How can I lookup ja3 hashes?
This example will query ja3er.com service to display the known ja3 hashes from the TLS handshaked in the pcap.
./ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET 'https://ja3er.com/search/{}' | jq .'
Why do you maintain this repository?
Because it's a mess. The software maintenance process for old free (unmaintained) software like ssldump is a complete chaotic process. I do this to ease my pain and this could help other too (but this is just a collateral damage).
Where ssldump is used?
- I used it for a relatively small project called Passive SSL. For more information, Passive SSL Passive Detection and Reconnaissance Techniques, to Find, Track, and Attribute Vulnerable ”Devices”. Additional back-end code available is in the crl-monitor repository.
- ssldump is used in the D4-Project.
Where ssldump is available?
- Alpine Linux ssldump
- Arch Linux ssldump
- CentOS, RHEL, Rocky (via EPEL) ssldump
- Fedora ssldump
- Kali Linux ssldump
- Ubuntu Linux ssldump
Build instructions
Install dependencies on Debian & Ubuntu (as root):
apt install build-essential git cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev
On Fedora, CentOS, RHEL & Rocky (as root):
dnf install git cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel
On OpenBSD (as root):
pkg_add git cmake ninja json-c libnet
On FreeBSD (as root):
pkg install git cmake ninja json-c libnet
On MacOS (as root):
brew install cmake ninja openssl@3 libpcap libnet json-c
Compile & install:
git clone https://github.com/adulau/ssldump.git
cd ssldump
cmake -G Ninja -B build
ninja -C build
./build/ssldump -v
(optional, as root) ninja -C build install
Notes
The "save to pcap" (-w) option by @ryabkov, is heavily based on the work of @droe on https://github.com/droe/sslsplit .
Contributing
The contributing policy is simple. If you have a patch to propose, make a pull-request via the interface. If the patch works for me, it's merged.