Fingerprint TLS implementations using state machines inferred by
StateLearner. StateLearner can
learn state machines for (in this case TLS) implementations using a black-box
approach. Different implementations can have a different state machine, which
makes it possible to differentiate them. By combining these state machines into
a single tree, and then probing a live implementation, tlsprint
makes it
possible to fingerprint the TLS implementation running on the target.
Install the latest release from PyPi:
pip install tlsprint
Note: This step is optional, a model.p
is included in the distribution,
which contains a model created using 27 unique state machines, representing 283
different TLS implementations. For the full list of implementations, check the
models
directory in the repository.
After state machines are inferred using StateLearner, run
tlsprint learn <statelearner_output_dir> model.p
to merge all models together into a single
tree. This tree is returned as a pickled networkx
graph, and is required for
the identify
step.
When using the default model, identifying the TLS implementation on a target can be done be running
tlsprint identify <target>
This defaults to port 443, a custom port can be specified by adding
--target-port <port>
.
The command returns a list of possible implementations. All these
implementations share the same model, meaning tlsprint
cannot further specify
the exact implementation.
Passing --graph-dir <output>
to the identify
command, will write DOT files
for all intermediate versions of the model tree. This can be insightful to
understand what tlsprint
is doing.
If you learned a custom model using the learn
command, you can override the
default model using --model <filename>
.