Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/clay584/whatls

Read a packet capture and reports on versions of SSL/TLS and cipher suites in use.
https://github.com/clay584/whatls

Last synced: about 1 month ago
JSON representation

Read a packet capture and reports on versions of SSL/TLS and cipher suites in use.

Host: GitHub
URL: https://github.com/clay584/whatls
Owner: clay584
License: gpl-3.0
Created: 2019-10-10T02:21:04.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2022-07-06T20:17:57.000Z (over 2 years ago)
Last Synced: 2023-08-05T17:12:09.286Z (over 1 year ago)
Language: Python
Homepage:
Size: 71.3 KB
Stars: 0
Watchers: 1
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE.md

Awesome Lists containing this project

README

# WhaTLS

What version of TLS and ciphers is your service using? WhaTLS reports on all SSL
sessions that were captured and exports the data to CSV.

From the data, making a pivot table and chart is basic Excel magic.

![Excel Pie Chart](excel_screenshot.png)

## What is included in the report?

* capture_file - The name of the capture file where the data was pulled.
* tcp_stream_id - The TCP stream ID in the capture. Useful for finding the packets in the capture for additional research.
* client_hello - The full packet details of the Client Hello packet in the TLS handshake for a given session.
* server_hello - The full packet details of the Server Hello packet in the TLS handshake for a given session.
* negotiated_tls_version - What version of SSL/TLS was chosen for a given session.
* negotiated_cipher_suite - What cipher suite was chosen for a given session.

## Installation

1. Python 3.6 at a minimum.
2. Install tshark by running `sudo apt update && sudo apt install tshark`
3. `git clone https://github.com/clay584/whatls && cd whatls`
4. `pip install -r requirements.txt`

## Usage

1. Take a packet capture from a device and save to file.
2. Pre-filter your capture with `tcpdump -nt -r MyCaptureFile.pcap "$(cat ssl_filter.bpf)" -w MyCaptureFile_filtered.pcap`. This
does two things. First, it makes the analysis faster by orders of magnitude as `tcpdump` with `bpf` is way faster than using a
display filter and iterating through packets with pyshark. Second, I've noticed that when a capture is taken and analyzed
without first running it through `tcpdump`, pyshark chokes on it for some reason and gives incomplete data. In test captures,
41 SSL sessions were found, whereas after using `tcpdump` to filter, pyshark was able to analyze all of it, resulting in
151 SSL sessions.
3. Run `./whatls.py MyCaptureFile_filtered.pcap`.
4. The CSV report will be saved to `MyCaptureFile_filtered.csv`.

## Credits

* Thanks to Brian [@infosecsamurai](https://twitter.com/infosecsamurai) for optimizations and testing.