{"id":13375163,"url":"https://github.com/0x4d31/fatt","last_synced_at":"2025-04-04T17:07:13.152Z","repository":{"id":37548322,"uuid":"176398139","full_name":"0x4D31/fatt","owner":"0x4D31","description":"FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic","archived":false,"fork":false,"pushed_at":"2023-10-28T01:54:56.000Z","size":109,"stargazers_count":664,"open_issues_count":5,"forks_count":96,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-03-28T16:06:07.490Z","etag":null,"topics":["fingerprinting","honeypot","metadata","network","python","quic","rdp","security","ssh","threat-hunting","tls","tshark"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x4D31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-19T01:25:29.000Z","updated_at":"2025-03-22T10:56:08.000Z","dependencies_parsed_at":"2024-10-24T20:11:23.566Z","dependency_job_id":"e0d1a245-8077-449f-99f6-0ef1ab76ac31","html_url":"https://github.com/0x4D31/fatt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Ffatt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Ffatt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Ffatt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4D31%2Ffatt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x4D31","download_url":"https://codeload.github.com/0x4D31/fatt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247217180,"owners_count":20903009,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fingerprinting","honeypot","metadata","network","python","quic","rdp","security","ssh","threat-hunting","tls","tshark"],"created_at":"2024-07-30T05:01:31.516Z","updated_at":"2025-04-04T17:07:13.132Z","avatar_url":"https://github.com/0x4D31.png","language":"Python","readme":"\u003cimg align=\"left\" src=\"https://github.com/0x4D31/fatt/blob/master/docs/fatt.png\" width=\"150px\"\u003e\n66 61 74 74 2e\n\nfingerprint all the things!\n\n[![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n\n\u003e More info about the fingerprinting methods, sample use-cases and research results will be added to the repo soon. Stay tuned!\n\nA script for extracting network metadata and fingerprints such as [JA3](https://github.com/salesforce/ja3) and [HASSH](https://github.com/salesforce/hassh) from packet capture files (pcap) or live network traffic. The main use-case is for monitoring honeypots, but you can also use it for other use cases such as network forensic analysis. fatt works on Linux, macOS and Windows.\n\nNote that fatt uses pyshark (a python wrapper for tshark) and therefore the performance is not great! But that's not a big issue as obviously this is not a tool you use in production. You can use other network analysis tools such as [Bro/Zeek](https://github.com/bro/bro), [Suricata](https://github.com/OISF/suricata) or [Netcap](https://github.com/dreadl0ck/netcap) for more serious use cases. [Joy](https://github.com/cisco/joy) is another great tool you can use for capturing and analyzing network flow data.\n\nOther than that, I'm working on a go based version of fatt which is faster, and you can use its libraries in your gopacket based tools such as packetbeat. I released the initial version of its gQUIC library ([QUICk](https://github.com/0x4D31/quick)).\n\n\n### Features\n\n- Protocol support: SSL/TLS, SSH, RDP, HTTP, gQUIC.\n    - To be added soon: IETF QUIC, MySQL, MSSQL, etc.\n- Fingerprinting\n    - JA3: TLS client/server fingerprint\n    - HASSH: SSH client/server fingerprint\n    - RDFP: my experimental RDP fingerprint for standard RDP security protocol (note that other RDP security modes use TLS and can be fingerprinted with JA3)\n    - HTTP header fingerprint\n    - gQUIC/iQUIC fingerprint will be added soon \n- JSON output\n \n## Getting Started\n\n1. Install tshark\n\nYou need to first install [tshark](https://github.com/wireshark/wireshark). Make sure you have the version v2.9.0 or later. Tshark/Wireshak renamed 'ssl' to 'tls' from version v2.9.0, and fatt is written based on the new version of tshark.\n\nIf you have an old version of tshark (\u003c v2.9.0), you can use the fatt script from [\"old-tshark\" branch](https://github.com/0x4D31/fatt/tree/old-tshark).\n\n2. Install dependencies\n\n```buildoutcfg\ncd fatt/\npip3 install pipenv\npipenv install\n```\n\nOR just install pyshark if you don't want to use a virtual environment:\n\n```buildoutcfg\npip3 install pyshark==0.4.2.2\n```\n\nTo activate the virtualenv, run pipenv shell:\n```buildoutcfg\n$ pipenv shell\nLaunching subshell in virtual environment…\nbash-3.2$  . /Users/adel/.local/share/virtualenvs/fatt-ucJHMzzt/bin/activate\n(fatt-ucJHMzzt) bash-3.2$ python3 fatt.py -h\n```\n\nAlternatively, run the command inside the virtualenv with `pipenv run`:\n\n```buildoutcfg\n$ pipenv run python3 fatt.py -h\n```\n\nOutput:\n\n```buildoutcfg\nusage: fatt.py [-h] [-r READ_FILE] [-d READ_DIRECTORY] [-i INTERFACE]\n               [-fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]]\n               [-da DECODE_AS] [-f BPF_FILTER] [-j] [-o OUTPUT_FILE]\n               [-w WRITE_PCAP] [-p]\n\nA python script for extracting network fingerprints\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -r READ_FILE, --read_file READ_FILE\n                        pcap file to process\n  -d READ_DIRECTORY, --read_directory READ_DIRECTORY\n                        directory of pcap files to process\n  -i INTERFACE, --interface INTERFACE\n                        listen on interface\n  -fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]], --fingerprint [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]\n                        protocols to fingerprint. Default: all\n  -da DECODE_AS, --decode_as DECODE_AS\n                        a dictionary of {decode_criterion_string:\n                        decode_as_protocol} that is used to tell tshark to\n                        decode protocols in situations it wouldn't usually.\n  -f BPF_FILTER, --bpf_filter BPF_FILTER\n                        BPF capture filter to use (for live capture only).'\n  -j, --json_logging    log the output in json format\n  -o OUTPUT_FILE, --output_file OUTPUT_FILE\n                        specify the output log file. Default: fatt.log\n  -w WRITE_PCAP, --write_pcap WRITE_PCAP\n                        save the live captured packets to this file\n  -p, --print_output    print the output\n```\n\n## Usage\n\n#### Live network traffic capture:\n\n```buildoutcfg\n$ python3 fatt.py -i en0 --print_output --json_logging\n192.168.1.10:59565 -\u003e 192.168.1.3:80 [HTTP] hash=598c34a2838e82f9ec3175305f233b89 userAgent=\"Spotify/109600181 OSX/0 (MacBookPro14,3)\"\n192.168.1.10:59566 -\u003e 13.237.44.5:22 [SSH] hassh=ec7378c1a92f5a8dde7e8b7a1ddf33d1 client=SSH-2.0-OpenSSH_7.9\n13.237.44.5:22 -\u003e 192.168.1.10:59566 [SSH] hasshS=3f0099d323fed5119bbfcca064478207 server=SSH-2.0-babeld-80573d3e\n192.168.1.10:59584 -\u003e 93.184.216.34:443 [TLS] ja3=e6573e91e6eb777c0933c5b8f97f10cd serverName=example.com\n93.184.216.34:443 -\u003e 192.168.1.10:59584 [TLS] ja3s=ae53107a2e47ea20c72ac44821a728bf\n192.168.1.10:59588 -\u003e 192.168.1.3:80 [HTTP] hash=598c34a2838e82f9ec3175305f233b89 userAgent=\"Spotify/109600181 OSX/0 (MacBookPro14,3)\"\n192.168.1.10:59601 -\u003e 216.58.196.142:80 [HTTP] hash=d6662c018cd4169689ddf7c6c0f8ca1b userAgent=\"curl/7.54.0\"\n216.58.196.142:80 -\u003e 192.168.1.10:59601 [HTTP] hash=c5241aca9a7c86f06f476592f5dda9a1 server=gws\n192.168.1.10:54387 -\u003e 216.58.203.99:443 [QUIC] UAID=\"Chrome/74.0.3729.169 Intel Mac OS X 10_14_5\" SNI=clientservices.googleapis.com AEAD=AESG KEXS=C255\n```\n\nJSON output:\n\n```buildoutcfg\n$ cat fatt.log\n{\"timestamp\": \"2019-05-28T03:41:25.415086\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"192.168.1.3\", \"sourcePort\": \"59565\", \"destinationPort\": \"80\", \"protocol\": \"http\", \"http\": {\"requestURI\": \"/DIAL/apps/com.spotify.Spotify.TVv2\", \"requestFullURI\": \"http://192.168.1.3/DIAL/apps/com.spotify.Spotify.TVv2\", \"requestVersion\": \"HTTP/1.1\", \"requestMethod\": \"GET\", \"userAgent\": \"Spotify/109600181 OSX/0 (MacBookPro14,3)\", \"clientHeaderOrder\": \"connection,accept_encoding,host,user_agent\", \"clientHeaderHash\": \"598c34a2838e82f9ec3175305f233b89\"}}\n{\"timestamp\": \"2019-05-28T03:41:26.099574\", \"sourceIp\": \"13.237.44.5\", \"destinationIp\": \"192.168.1.10\", \"sourcePort\": \"22\", \"destinationPort\": \"59566\", \"protocol\": \"ssh\", \"ssh\": {\"server\": \"SSH-2.0-babeld-80573d3e\", \"hasshServer\": \"3f0099d323fed5119bbfcca064478207\", \"hasshServerAlgorithms\": \"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256;chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib,zlib@openssh.com\", \"hasshVersion\": \"1.0\", \"skex\": \"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\", \"seastc\": \"chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc\", \"smastc\": \"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\", \"scastc\": \"none,zlib,zlib@openssh.com\", \"slcts\": \"[Empty]\", \"slstc\": \"[Empty]\", \"seacts\": \"chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc\", \"smacts\": \"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\", \"scacts\": \"none,zlib,zlib@openssh.com\", \"sshka\": \"ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa\"}}\n{\"timestamp\": \"2019-05-28T03:41:26.106737\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"13.237.44.5\", \"sourcePort\": \"59566\", \"destinationPort\": \"22\", \"protocol\": \"ssh\", \"ssh\": {\"client\": \"SSH-2.0-OpenSSH_7.9\", \"hassh\": \"ec7378c1a92f5a8dde7e8b7a1ddf33d1\", \"hasshAlgorithms\": \"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com,zlib\", \"hasshVersion\": \"1.0\", \"ckex\": \"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c\", \"ceacts\": \"chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\", \"cmacts\": \"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\", \"ccacts\": \"none,zlib@openssh.com,zlib\", \"clcts\": \"[Empty]\", \"clstc\": \"[Empty]\", \"ceastc\": \"chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\", \"cmastc\": \"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\", \"ccastc\": \"none,zlib@openssh.com,zlib\", \"cshka\": \"rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519\"}}\n{\"timestamp\": \"2019-05-28T03:41:36.762811\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"93.184.216.34\", \"sourcePort\": \"59584\", \"destinationPort\": \"443\", \"protocol\": \"tls\", \"tls\": {\"serverName\": \"example.com\", \"ja3\": \"e6573e91e6eb777c0933c5b8f97f10cd\", \"ja3Algorithms\": \"771,49200-49196-49192-49188-49172-49162-159-107-57-52393-52392-52394-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49170-49160-22-10-255,0-11-10-13-16,29-23-24,0\", \"ja3Version\": \"771\", \"ja3Ciphers\": \"49200-49196-49192-49188-49172-49162-159-107-57-52393-52392-52394-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49170-49160-22-10-255\", \"ja3Extensions\": \"0-11-10-13-16\", \"ja3Ec\": \"29-23-24\", \"ja3EcFmt\": \"0\"}}\n{\"timestamp\": \"2019-05-28T03:41:36.920935\", \"sourceIp\": \"93.184.216.34\", \"destinationIp\": \"192.168.1.10\", \"sourcePort\": \"443\", \"destinationPort\": \"59584\", \"protocol\": \"tls\", \"tls\": {\"ja3s\": \"ae53107a2e47ea20c72ac44821a728bf\", \"ja3sAlgorithms\": \"771,49199,65281-0-11-16\", \"ja3sVersion\": \"771\", \"ja3sCiphers\": \"49199\", \"ja3sExtensions\": \"65281-0-11-16\"}}\n{\"timestamp\": \"2019-05-28T03:41:37.487609\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"192.168.1.3\", \"sourcePort\": \"59588\", \"destinationPort\": \"80\", \"protocol\": \"http\", \"http\": {\"requestURI\": \"/DIAL/apps/com.spotify.Spotify.TVv2\", \"requestFullURI\": \"http://192.168.1.3/DIAL/apps/com.spotify.Spotify.TVv2\", \"requestVersion\": \"HTTP/1.1\", \"requestMethod\": \"GET\", \"userAgent\": \"Spotify/109600181 OSX/0 (MacBookPro14,3)\", \"clientHeaderOrder\": \"connection,accept_encoding,host,user_agent\", \"clientHeaderHash\": \"598c34a2838e82f9ec3175305f233b89\"}}\n{\"timestamp\": \"2019-05-28T03:41:48.700730\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"216.58.196.142\", \"sourcePort\": \"59601\", \"destinationPort\": \"80\", \"protocol\": \"http\", \"http\": {\"requestURI\": \"/\", \"requestFullURI\": \"http://google.com/\", \"requestVersion\": \"HTTP/1.1\", \"requestMethod\": \"GET\", \"userAgent\": \"curl/7.54.0\", \"clientHeaderOrder\": \"host,user_agent,accept\", \"clientHeaderHash\": \"d6662c018cd4169689ddf7c6c0f8ca1b\"}}\n{\"timestamp\": \"2019-05-28T03:41:48.805393\", \"sourceIp\": \"216.58.196.142\", \"destinationIp\": \"192.168.1.10\", \"sourcePort\": \"80\", \"destinationPort\": \"59601\", \"protocol\": \"http\", \"http\": {\"server\": \"gws\", \"serverHeaderOrder\": \"location,content_type,date,cache_control,server,content_length\", \"serverHeaderHash\": \"c5241aca9a7c86f06f476592f5dda9a1\"}}\n{\"timestamp\": \"2019-05-28T03:41:58.038530\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"216.58.203.99\", \"sourcePort\": \"54387\", \"destinationPort\": \"443\", \"protocol\": \"gquic\", \"gquic\": {\"tagNumber\": \"25\", \"sni\": \"clientservices.googleapis.com\", \"uaid\": \"Chrome/74.0.3729.169 Intel Mac OS X 10_14_5\", \"ver\": \"Q043\", \"aead\": \"AESG\", \"smhl\": \"1\", \"mids\": \"100\", \"kexs\": \"C255\", \"xlct\": \"cd9baccc808a6d3b\", \"copt\": \"NSTP\", \"ccrt\": \"cd9baccc808a6d3b67f8adc58015e3ff\", \"stk\": \"d6a64aeb563a19fe091bc34e8c038b0a3a884c5db7caae071180c5b739bca3dd7c42e861386718982fbe6db9d1cb136f799e8d10fd5a\", \"pdmd\": \"X509\", \"ccs\": \"01e8816092921ae8\", \"scid\": \"376976b980c73b669fea57104fb725c6\"}}\n```\n\n#### Packet capture file (pcap):\n\nLet's have a look at the captured traffic of Metasploit auxiliary scanner for the recent CVE-2019-0708 RDP vulnerability (BlueKeep).\n\n```\n$ python3 fatt.py -r RDP/cve-2019-0708_metasploit_aux.pcap -p -j; cat fatt.log | python -m json.tool\n192.168.1.10:39079 -\u003e 192.168.1.20:3389 [RDP] rdfp=3ba3d115055e593e3550575a36e68153 cookie=\"mstshash=user0\" req_protocols=0x00000000\n\n{\n    \"destinationIp\": \"192.168.1.20\",\n    \"destinationPort\": \"3389\",\n    \"protocol\": \"rdp\",\n    \"rdp\": {\n        \"channelDefArray\": {\n            \"0\": {\n                \"name\": \"cliprdr\",\n                \"options\": \"c0a00000\"\n            },\n            \"1\": {\n                \"name\": \"MS_T120\",\n                \"options\": \"80800000\"\n            },\n            \"2\": {\n                \"name\": \"rdpsnd\",\n                \"options\": \"c0000000\"\n            },\n            \"3\": {\n                \"name\": \"snddbg\",\n                \"options\": \"c0000000\"\n            },\n            \"4\": {\n                \"name\": \"rdpdr\",\n                \"options\": \"80800000\"\n            }\n        },\n        \"clientBuild\": \"2600\",\n        \"clientDigProductId\": \"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\",\n        \"clientName\": \"x1810\",\n        \"clientProductId\": \"1\",\n        \"clusterFlags\": \"09000000\",\n        \"colorDepth\": \"0x0000ca01\",\n        \"connectionType\": \"0\",\n        \"cookie\": \"mstshash=user0\",\n        \"desktopHeight\": \"600\",\n        \"desktopWidth\": \"800\",\n        \"earlyCapabilityFlags\": \"1\",\n        \"encryptionMethods\": \"03000000\",\n        \"extEncMethods\": \"00000000\",\n        \"highColorDepth\": \"0x00000018\",\n        \"keyboardFuncKey\": \"12\",\n        \"keyboardLayout\": \"1033\",\n        \"keyboardSubtype\": \"0\",\n        \"keyboardType\": \"4\",\n        \"pad1Octet\": \"00\",\n        \"postbeta2ColorDepth\": \"0x0000ca01\",\n        \"rdfp\": \"3ba3d115055e593e3550575a36e68153\",\n        \"rdfpAlgorithms\": \"4,8,09000000,03000000,00000000,cliprdr:c0a00000-MS_T120:80800000-rdpsnd:c0000000-snddbg:c0000000-rdpdr:80800000\",\n        \"rdfpVersion\": \"0.3\",\n        \"requestedProtocols\": \"0x00000000\",\n        \"sasSequence\": \"43523\",\n        \"serialNumber\": \"0\",\n        \"supportedColorDepths\": \"0x00000007\",\n        \"verMajor\": \"4\",\n        \"verMinor\": \"8\"\n    },\n    \"sourceIp\": \"192.168.1.10\",\n    \"sourcePort\": \"39079\",\n    \"timestamp\": \"2019-05-23T03:51:25.438445\"\n}\n```\n\nLet's test it with another CVE-2019-0708 PoC:\n\n```buildoutcfg\n$ python3 fatt.py -r RDP/cve-2019-0708_poc.pcap -p -j; cat fatt.log | python -m json.tool\n192.168.1.10:54303 -\u003e 192.168.1.20:3389 [RDP] req_protocols=0x00000001\n\n{\n    \"destinationIp\": \"192.168.1.20\",\n    \"destinationPort\": \"3389\",\n    \"protocol\": \"rdp\",\n    \"rdp\": {\n        \"requestedProtocols\": \"0x00000001\"\n    },\n    \"sourceIp\": \"192.168.1.10\",\n    \"sourcePort\": \"54303\",\n    \"timestamp\": \"2019-05-23T18:41:42.572758\"\n}\n```\n\nThis time we don't see the RDP ClientInfo message because the PoC uses TLS (not the standard RDP security protocol). So we can just see the `Negotiation Request` messages, but if you decode the packet as TLS, you can see the TLS clientHello and JA3 fingerprint. Here's how you can decode a specific port as another protocol:\n\n```buildoutcfg\n$ python3 fatt.py -r RDP//cve-2019-0708_poc.pcap -p -j --decode_as '{\"tcp.port==3389\": \"tls\"}'\n192.168.1.10:50026 -\u003e 192.168.1.20:3389 [TLS] ja3=67e3d18fd9dddbbc8eca65f7dedac674 serverName=192.168.1.20\n192.168.1.20:3389 -\u003e 192.168.1.10:50026 [TLS] ja3s=649d6810e8392f63dc311eecb6b7098b\n\n$ cat fatt.log\n{\"timestamp\": \"2019-05-23T17:21:56.056200\", \"sourceIp\": \"192.168.1.10\", \"destinationIp\": \"192.168.1.20\", \"sourcePort\": \"50026\", \"destinationPort\": \"3389\", \"protocol\": \"tls\", \"tls\": {\"serverName\": \"192.168.1.20\", \"ja3\": \"67e3d18fd9dddbbc8eca65f7dedac674\", \"ja3Algorithms\": \"771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-57-51-157-156-61-60-53-47-10-106-64-56-50-19-5-4,0-5-10-11-13-35-23-65281,29-23-24,0\", \"ja3Version\": \"771\", \"ja3Ciphers\": \"49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-57-51-157-156-61-60-53-47-10-106-64-56-50-19-5-4\", \"ja3Extensions\": \"0-5-10-11-13-35-23-65281\", \"ja3Ec\": \"29-23-24\", \"ja3EcFmt\": \"0\"}}\n{\"timestamp\": \"2019-05-23T17:21:56.059333\", \"sourceIp\": \"192.168.1.20\", \"destinationIp\": \"192.168.1.10\", \"sourcePort\": \"3389\", \"destinationPort\": \"50026\", \"protocol\": \"tls\", \"tls\": {\"ja3s\": \"649d6810e8392f63dc311eecb6b7098b\", \"ja3sAlgorithms\": \"771,49192,23-65281\", \"ja3sVersion\": \"771\", \"ja3sCiphers\": \"49192\", \"ja3sExtensions\": \"23-65281\"}}\n``` \n\n## TODO:\n\n- https://github.com/0x4D31/fatt/wiki/TODO\n","funding_links":[],"categories":["\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","\u003ca id=\"f13469c9891173804423be4403b2c4ff\"\u003e\u003c/a\u003epcap","\u003ca id=\"170048b7d8668c50681c0ab1e92c679a\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"016bb6bd00f1e0f8451f779fe09766db\"\u003e\u003c/a\u003e指纹\u0026\u0026Fingerprinting","\u003ca id=\"eb49514924c3f4bf2acf6f3a4436af13\"\u003e\u003c/a\u003e未分类"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x4d31%2Ffatt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x4d31%2Ffatt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x4d31%2Ffatt/lists"}