PRETTY_NAMES = {
'alert_level': {
1: 'warning',
2: 'fatal'
},
'alert_description': {
0: 'close_notify',
10: 'unexpected_message',
20: 'bad_record_mac',
21: 'decryption_failed',
22: 'record_overflow',
30: 'decompression_failure',
40: 'handshake_failure',
41: 'no_certificate',
42: 'bad_certificate',
43: 'unsupported_certificate',
44: 'certificate_revoked',
45: 'certificate_expired',
46: 'certificate_unknown',
47: 'illegal_parameter',
48: 'unknown_ca',
49: 'access_denied',
50: 'decode_error',
51: 'decrypt_error',
60: 'export_restriction',
70: 'protocol_version',
71: 'insufficient_security',
80: 'internal_error',
86: 'inappropriate_fallback',
90: 'user_canceled',
100: 'no_renegotiation',
110: 'unsupported_extension',
111: 'certificate_unobtainable',
112: 'unrecognized_name',
113: 'bad_certificate_status_response',
114: 'bad_certificate_hash_value',
115: 'unknown_psk_identity'
},
'cipher_suites': {
0x010080: 'SSL_CK_RC4_128_WITH_MD5',
0x020080: 'SSL_CK_RC4_128_EXPORT40_WITH_MD5',
0x030080: 'SSL_CK_RC2_128_CBC_WITH_MD5 ',
0x040080: 'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5',
0x050080: 'SSL_CK_IDEA_128_CBC_WITH_MD5',
0x060040: 'SSL_CK_DES_64_CBC_WITH_MD5',
0x0700C0: 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5',
0x080080: 'SSL_CK_RC4_64_WITH_MD5',
0x00: 'TLS_NULL_WITH_NULL_NULL',
0x01: 'TLS_RSA_WITH_NULL_MD5',
0x02: 'TLS_RSA_WITH_NULL_SHA',
0x03: 'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
0x04: 'TLS_RSA_WITH_RC4_128_MD5',
0x05: 'TLS_RSA_WITH_RC4_128_SHA',
0x06: 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
0x07: 'TLS_RSA_WITH_IDEA_CBC_SHA',
0x08: 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
0x09: 'TLS_RSA_WITH_DES_CBC_SHA',
0x0A: 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
0x0B: 'TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA',
0x0C: 'TLS_DH_DSS_WITH_DES_CBC_SHA',
0x0D: 'TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA',
0x0E: 'TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA',
0x0F: 'TLS_DH_RSA_WITH_DES_CBC_SHA',
0x10: 'TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA',
0x11: 'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA',
0x12: 'TLS_DHE_DSS_WITH_DES_CBC_SHA',
0x13: 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
0x14: 'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
0x15: 'TLS_DHE_RSA_WITH_DES_CBC_SHA',
0x16: 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA',
0x17: 'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5',
0x18: 'TLS_DH_anon_WITH_RC4_128_MD5',
0x19: 'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA',
0x1A: 'TLS_DH_anon_WITH_DES_CBC_SHA',
0x1B: 'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA',
0x1E: 'TLS_KRB5_WITH_DES_CBC_SHA',
0x1F: 'TLS_KRB5_WITH_3DES_EDE_CBC_SHA',
0x20: 'TLS_KRB5_WITH_RC4_128_SHA',
0x21: 'TLS_KRB5_WITH_IDEA_CBC_SHA',
0x22: 'TLS_KRB5_WITH_DES_CBC_MD5',
0x23: 'TLS_KRB5_WITH_3DES_EDE_CBC_MD5',
0x24: 'TLS_KRB5_WITH_RC4_128_MD5',
0x25: 'TLS_KRB5_WITH_IDEA_CBC_MD5',
0x26: 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA',
0x27: 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA',
0x28: 'TLS_KRB5_EXPORT_WITH_RC4_40_SHA',
0x29: 'TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5',
0x2A: 'TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5',
0x2B: 'TLS_KRB5_EXPORT_WITH_RC4_40_MD5',
0x2C: 'TLS_PSK_WITH_NULL_SHA',
0x2D: 'TLS_DHE_PSK_WITH_NULL_SHA',
0x2E: 'TLS_RSA_PSK_WITH_NULL_SHA',
0x2F: 'TLS_RSA_WITH_AES_128_CBC_SHA',
0x30: 'TLS_DH_DSS_WITH_AES_128_CBC_SHA',
0x31: 'TLS_DH_RSA_WITH_AES_128_CBC_SHA',
0x32: 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
0x33: 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
0x34: 'TLS_DH_anon_WITH_AES_128_CBC_SHA',
0x35: 'TLS_RSA_WITH_AES_256_CBC_SHA',
0x36: 'TLS_DH_DSS_WITH_AES_256_CBC_SHA',
0x37: 'TLS_DH_RSA_WITH_AES_256_CBC_SHA',
0x38: 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
0x39: 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
0x3A: 'TLS_DH_anon_WITH_AES_256_CBC_SHA',
0x3B: 'TLS_RSA_WITH_NULL_SHA256',
0x3C: 'TLS_RSA_WITH_AES_128_CBC_SHA256',
0x3D: 'TLS_RSA_WITH_AES_256_CBC_SHA256',
0x3E: 'TLS_DH_DSS_WITH_AES_128_CBC_SHA256',
0x3F: 'TLS_DH_RSA_WITH_AES_128_CBC_SHA256',
0x40: 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
0x41: 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
0x42: 'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA',
0x43: 'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA',
0x44: 'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA',
0x45: 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
0x46: 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
0x60: 'TLS_RSA_EXPORT1024_WITH_RC4_56_MD5',
0x61: 'TLS_RSA_EXPORT1024_WITH_RC2_56_MD5',
0x62: 'TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA',
0x63: 'TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA',
0x64: 'TLS_RSA_EXPORT1024_WITH_RC4_56_SHA',
0x65: 'TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA',
0x66: 'TLS_DHE_DSS_WITH_RC4_128_SHA',
0x67: 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
0x68: 'TLS_DH_DSS_WITH_AES_256_CBC_SHA256',
0x69: 'TLS_DH_RSA_WITH_AES_256_CBC_SHA256',
0x6A: 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
0x6B: 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
0x6C: 'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
0x6D: 'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
0x80: 'TLS_GOSTR341094_WITH_28147_CNT_IMIT',
0x81: 'TLS_GOSTR341001_WITH_28147_CNT_IMIT',
0x82: 'TLS_GOSTR341094_WITH_NULL_GOSTR3411',
0x83: 'TLS_GOSTR341001_WITH_NULL_GOSTR3411',
0x84: 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
0x85: 'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA',
0x86: 'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA',
0x87: 'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA',
0x88: 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
0x89: 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
0x8A: 'TLS_PSK_WITH_RC4_128_SHA',
0x8B: 'TLS_PSK_WITH_3DES_EDE_CBC_SHA',
0x8C: 'TLS_PSK_WITH_AES_128_CBC_SHA',
0x8D: 'TLS_PSK_WITH_AES_256_CBC_SHA',
0x8E: 'TLS_DHE_PSK_WITH_RC4_128_SHA',
0x8F: 'TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA',
0x90: 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA',
0x91: 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA',
0x92: 'TLS_RSA_PSK_WITH_RC4_128_SHA',
0x93: 'TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA',
0x94: 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA',
0x95: 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA',
0x96: 'TLS_RSA_WITH_SEED_CBC_SHA',
0x97: 'TLS_DH_DSS_WITH_SEED_CBC_SHA',
0x98: 'TLS_DH_RSA_WITH_SEED_CBC_SHA',
0x99: 'TLS_DHE_DSS_WITH_SEED_CBC_SHA',
0x9A: 'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
0x9B: 'TLS_DH_anon_WITH_SEED_CBC_SHA',
0x9C: 'TLS_RSA_WITH_AES_128_GCM_SHA256',
0x9D: 'TLS_RSA_WITH_AES_256_GCM_SHA384',
0x9E: 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
0x9F: 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
0xA0: 'TLS_DH_RSA_WITH_AES_128_GCM_SHA256',
0xA1: 'TLS_DH_RSA_WITH_AES_256_GCM_SHA384',
0xA2: 'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256',
0xA3: 'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384',
0xA4: 'TLS_DH_DSS_WITH_AES_128_GCM_SHA256',
0xA5: 'TLS_DH_DSS_WITH_AES_256_GCM_SHA384',
0xA6: 'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
0xA7: 'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
0xA8: 'TLS_PSK_WITH_AES_128_GCM_SHA256',
0xA9: 'TLS_PSK_WITH_AES_256_GCM_SHA384',
0xAA: 'TLS_DHE_PSK_WITH_AES_128_GCM_SHA256',
0xAB: 'TLS_DHE_PSK_WITH_AES_256_GCM_SHA384',
0xAC: 'TLS_RSA_PSK_WITH_AES_128_GCM_SHA256',
0xAD: 'TLS_RSA_PSK_WITH_AES_256_GCM_SHA384',
0xAE: 'TLS_PSK_WITH_AES_128_CBC_SHA256',
0xAF: 'TLS_PSK_WITH_AES_256_CBC_SHA384',
0xB0: 'TLS_PSK_WITH_NULL_SHA256',
0xB1: 'TLS_PSK_WITH_NULL_SHA384',
0xB2: 'TLS_DHE_PSK_WITH_AES_128_CBC_SHA256',
0xB3: 'TLS_DHE_PSK_WITH_AES_256_CBC_SHA384',
0xB4: 'TLS_DHE_PSK_WITH_NULL_SHA256',
0xB5: 'TLS_DHE_PSK_WITH_NULL_SHA384',
0xB6: 'TLS_RSA_PSK_WITH_AES_128_CBC_SHA256',
0xB7: 'TLS_RSA_PSK_WITH_AES_256_CBC_SHA384',
0xB8: 'TLS_RSA_PSK_WITH_NULL_SHA256',
0xB9: 'TLS_RSA_PSK_WITH_NULL_SHA384',
0xBA: 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
0xBB: 'TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256',
0xBC: 'TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256',
0xBD: 'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256',
0xBE: 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
0xBF: 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
0xC0: 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
0xC1: 'TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256',
0xC2: 'TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256',
0xC3: 'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256',
0xC4: 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
0xC5: 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
0xFF: 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV',
0x5600: 'TLS_FALLBACK_SCSV',
0xC001: 'TLS_ECDH_ECDSA_WITH_NULL_SHA',
0xC002: 'TLS_ECDH_ECDSA_WITH_RC4_128_SHA',
0xC003: 'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA',
0xC004: 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
0xC005: 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
0xC006: 'TLS_ECDHE_ECDSA_WITH_NULL_SHA',
0xC007: 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',
0xC008: 'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA',
0xC009: 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
0xC00A: 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
0xC00B: 'TLS_ECDH_RSA_WITH_NULL_SHA',
0xC00C: 'TLS_ECDH_RSA_WITH_RC4_128_SHA',
0xC00D: 'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA',
0xC00E: 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
0xC00F: 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
0xC010: 'TLS_ECDHE_RSA_WITH_NULL_SHA',
0xC011: 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
0xC012: 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
0xC013: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
0xC014: 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
0xC015: 'TLS_ECDH_anon_WITH_NULL_SHA',
0xC016: 'TLS_ECDH_anon_WITH_RC4_128_SHA',
0xC017: 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA',
0xC018: 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
0xC019: 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
0xC01A: 'TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA',
0xC01B: 'TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA',
0xC01C: 'TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA',
0xC01D: 'TLS_SRP_SHA_WITH_AES_128_CBC_SHA',
0xC01E: 'TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA',
0xC01F: 'TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA',
0xC020: 'TLS_SRP_SHA_WITH_AES_256_CBC_SHA',
0xC021: 'TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA',
0xC022: 'TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA',
0xC023: 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
0xC024: 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
0xC025: 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
0xC026: 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
0xC027: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
0xC028: 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
0xC029: 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
0xC02A: 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
0xC02B: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
0xC02C: 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
0xC02D: 'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
0xC02E: 'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
0xC02F: 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
0xC030: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
0xC031: 'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
0xC032: 'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
0xC033: 'TLS_ECDHE_PSK_WITH_RC4_128_SHA',
0xC034: 'TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA',
0xC035: 'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA',
0xC036: 'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA',
0xC037: 'TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256',
0xC038: 'TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384',
0xC039: 'TLS_ECDHE_PSK_WITH_NULL_SHA',
0xC03A: 'TLS_ECDHE_PSK_WITH_NULL_SHA256',
0xC03B: 'TLS_ECDHE_PSK_WITH_NULL_SHA384',
0xC03C: 'TLS_RSA_WITH_ARIA_128_CBC_SHA256',
0xC03D: 'TLS_RSA_WITH_ARIA_256_CBC_SHA384',
0xC03E: 'TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256',
0xC03F: 'TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384',
0xC040: 'TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256',
0xC041: 'TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384',
0xC042: 'TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256',
0xC043: 'TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384',
0xC044: 'TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256',
0xC045: 'TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384',
0xC046: 'TLS_DH_anon_WITH_ARIA_128_CBC_SHA256',
0xC047: 'TLS_DH_anon_WITH_ARIA_256_CBC_SHA384',
0xC048: 'TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256',
0xC049: 'TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384',
0xC04A: 'TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256',
0xC04B: 'TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384',
0xC04C: 'TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256',
0xC04D: 'TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384',
0xC04E: 'TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256',
0xC04F: 'TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384',
0xC050: 'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
0xC051: 'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
0xC052: 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
0xC053: 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
0xC054: 'TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256',
0xC055: 'TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384',
0xC056: 'TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256',
0xC057: 'TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384',
0xC058: 'TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256',
0xC059: 'TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384',
0xC05A: 'TLS_DH_anon_WITH_ARIA_128_GCM_SHA256',
0xC05B: 'TLS_DH_anon_WITH_ARIA_256_GCM_SHA384',
0xC05C: 'TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256',
0xC05D: 'TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384',
0xC05E: 'TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256',
0xC05F: 'TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384',
0xC060: 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
0xC061: 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
0xC062: 'TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256',
0xC063: 'TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384',
0xC064: 'TLS_PSK_WITH_ARIA_128_CBC_SHA256',
0xC065: 'TLS_PSK_WITH_ARIA_256_CBC_SHA384',
0xC066: 'TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256',
0xC067: 'TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384',
0xC068: 'TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256',
0xC069: 'TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384',
0xC06A: 'TLS_PSK_WITH_ARIA_128_GCM_SHA256',
0xC06B: 'TLS_PSK_WITH_ARIA_256_GCM_SHA384',
0xC06C: 'TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256',
0xC06D: 'TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384',
0xC06E: 'TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256',
0xC06F: 'TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384',
0xC070: 'TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256',
0xC071: 'TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384',
0xC072: 'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256',
0xC073: 'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384',
0xC074: 'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256',
0xC075: 'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384',
0xC076: 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
0xC077: 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
0xC078: 'TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256',
0xC079: 'TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384',
0xC07A: 'TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC07B: 'TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC07C: 'TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC07D: 'TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC07E: 'TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC07F: 'TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC080: 'TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256',
0xC081: 'TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384',
0xC082: 'TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256',
0xC083: 'TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384',
0xC084: 'TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256',
0xC085: 'TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384',
0xC086: 'TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC087: 'TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC088: 'TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC089: 'TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC08A: 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC08B: 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC08C: 'TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256',
0xC08D: 'TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384',
0xC08E: 'TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256',
0xC08F: 'TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384',
0xC090: 'TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256',
0xC091: 'TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384',
0xC092: 'TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256',
0xC093: 'TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384',
0xC094: 'TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256',
0xC095: 'TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384',
0xC096: 'TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256',
0xC097: 'TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384',
0xC098: 'TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256',
0xC099: 'TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384',
0xC09A: 'TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256',
0xC09B: 'TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384',
0xC09C: 'TLS_RSA_WITH_AES_128_CCM',
0xC09D: 'TLS_RSA_WITH_AES_256_CCM',
0xC09E: 'TLS_DHE_RSA_WITH_AES_128_CCM',
0xC09F: 'TLS_DHE_RSA_WITH_AES_256_CCM',
0xC0A0: 'TLS_RSA_WITH_AES_128_CCM_8',
0xC0A1: 'TLS_RSA_WITH_AES_256_CCM_8',
0xC0A2: 'TLS_DHE_RSA_WITH_AES_128_CCM_8',
0xC0A3: 'TLS_DHE_RSA_WITH_AES_256_CCM_8',
0xC0A4: 'TLS_PSK_WITH_AES_128_CCM',
0xC0A5: 'TLS_PSK_WITH_AES_256_CCM',
0xC0A6: 'TLS_DHE_PSK_WITH_AES_128_CCM',
0xC0A7: 'TLS_DHE_PSK_WITH_AES_256_CCM',
0xC0A8: 'TLS_PSK_WITH_AES_128_CCM_8',
0xC0A9: 'TLS_PSK_WITH_AES_256_CCM_8',
0xC0AA: 'TLS_PSK_DHE_WITH_AES_128_CCM_8',
0xC0AB: 'TLS_PSK_DHE_WITH_AES_256_CCM_8',
0xC09C: 'TLS_RSA_WITH_AES_128_CCM',
0xC09D: 'TLS_RSA_WITH_AES_256_CCM',
0xC09E: 'TLS_DHE_RSA_WITH_AES_128_CCM',
0xC09F: 'TLS_DHE_RSA_WITH_AES_256_CCM',
0xC0A0: 'TLS_RSA_WITH_AES_128_CCM_8',
0xC0A1: 'TLS_RSA_WITH_AES_256_CCM_8',
0xC0A2: 'TLS_DHE_RSA_WITH_AES_128_CCM_8',
0xC0A3: 'TLS_DHE_RSA_WITH_AES_256_CCM_8',
0xC0A4: 'TLS_PSK_WITH_AES_128_CCM',
0xC0A5: 'TLS_PSK_WITH_AES_256_CCM',
0xC0A6: 'TLS_DHE_PSK_WITH_AES_128_CCM',
0xC0A7: 'TLS_DHE_PSK_WITH_AES_256_CCM',
0xC0A8: 'TLS_PSK_WITH_AES_128_CCM_8',
0xC0A9: 'TLS_PSK_WITH_AES_256_CCM_8',
0xC0AA: 'TLS_PSK_DHE_WITH_AES_128_CCM_8',
0xC0AB: 'TLS_PSK_DHE_WITH_AES_256_CCM_80',
0xC0AC: 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM',
0xC0AD: 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM',
0xC0AE: 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8',
0xC0AF: 'TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8',
0xCC13: 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
0xCC14: 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256',
0xCC15: 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
0xCCA8: 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
0xCCA9: 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256',
0xFEFE: 'SSL_RSA_FIPS_WITH_DES_CBC_SHA',
0xFEFE: 'SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA',
0xFFE0: 'SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA',
0xFFE1: 'SSL_RSA_FIPS_WITH_DES_CBC_SHA'
},
'compression_methods': {
0: 'null',
1: 'Zlib'
},
'ec_point_formats': {
0: 'uncompressed',
1: 'ansiX962_compressed_prime',
2: 'ansiX962_compressed_char2'
},
'extension_type': {
0: 'server_name',
1: 'max_fragment_length',
2: 'client_certificate_url',
3: 'trusted_ca_keys',
4: 'truncated_hmac',
5: 'status_request',
6: 'user_mapping',
7: 'client_authz',
8: 'server_authz',
9: 'cert_type',
10: 'elliptic_curves',
11: 'ec_point_formats',
12: 'srp',
13: 'signature_algorithms',
14: 'use_srtp',
15: 'heartbeat',
16: 'application_layer_protocol_negotiation',
17: 'status_request_v2',
18: 'signed_certificate_timestamp',
19: 'client_certificate_type',
20: 'server_certificate_type',
21: 'padding',
22: 'encrypt_then_mac',
23: 'extended_master_secret',
35: 'SessionTicket_TLS',
13172: 'next_protocol_negotiation',
30031: 'channel_id_old',
30032: 'channel_id',
62208: 'tack',
65281: 'renegotiation_info'},
'heartbeat': {
0: 'heartbeat_request',
1: 'peer_allowed_to_send'
},
'elliptic_curves': {
1: 'sect163k1',
2: 'sect163r1',
3: 'sect163r2',
4: 'sect193r1',
5: 'sect193r2',
6: 'sect233k1',
7: 'sect233r1',
8: 'sect239k1',
9: 'sect283k1',
10: 'sect283r1',
11: 'sect409k1',
12: 'sect409r1',
13: 'sect571k1',
14: 'sect571r1',
15: 'secp160k1',
16: 'secp160r1',
17: 'secp160r2',
18: 'secp192k1',
19: 'secp192r1',
20: 'secp224k1',
21: 'secp224r1',
22: 'secp256k1',
23: 'secp256r1',
24: 'secp384r1',
25: 'secp521r1',
26: 'brainpoolP256r1',
27: 'brainpoolP384r1',
28: 'brainpoolP512r1',
256: 'ffdhe2048',
257: 'ffdhe3072',
258: 'ffdhe4096',
259: 'ffdhe6144',
260: 'ffdhe8192',
65281: 'arbitrary_explicit_prime_curves',
65282: 'arbitrary_explicit_char2_curves'
},
'signature_algorithms_hash': { #RFC 5246
0: 'none',
1: 'md5',
2: 'sha1',
3: 'sha224',
4: 'sha256',
5: 'sha384',
6: 'sha512'
},
'signature_algorithms_signature': {
0: 'anonymous',
1: 'rsa',
2: 'dsa',
3: 'ecdsa'
},
'status_request': {
0: 'empty'
},
'tls_record': {
20: 'change_cipher',
21: 'alert',
22: 'handshake',
23: 'application_data'
},
'tls_version': {
0x300: 'SSL 3.0',
0x301: 'TLS 1.0',
0x302: 'TLS 1.1',
0x303: 'TLS 1.2',
}
}
# coding: utf-8
#!/usr/bin/env python
from __future__ import absolute_import
from __future__ import print_function
import argparse
from binascii import hexlify
import socket
import struct
import json
import sys
import textwrap
import dpkt
from constants import PRETTY_NAMES
from asn1crypto import x509
from dpkt import ssl, Packet
import pickle
global streambuffer
streambuffer = {}
global encrypted_streams
encrypted_streams = [] # change_cipher
global ssl_servers_certs
ssl_servers_certs = {}
global ssl_servers_with_client_hello
ssl_servers_with_client_hello = set()
global client_hello_set
client_hello_set = set()
global ssl_flows
ssl_flows = []
global buffer
buffer = {}
need_more_parse = False
def tls_multi_factory_new(buf):
"""
Attempt to parse one or more TLSRecord's out of buf
:param buf: string containing SSL/TLS messages. May have an incomplete record on the end
:return: [TLSRecord] int, total bytes consumed, != len(buf) if an incomplete record was left at the end.
Raises SSL3Exception.
"""
i, n = 0, len(buf)
msgs = []
while i+5 <= n:
v = buf[i + 1:i + 3]
if v in ssl.SSL3_VERSION_BYTES:
try:
msg = ssl.TLSRecord(buf[i:])
msgs.append(msg)
except dpkt.NeedData:
break
else:
if i == 0: ############################################ added
raise ssl.SSL3Exception('Bad TLS version in buf: %r' % buf[i:i + 5])
else:
break
i += len(msg)
return msgs, i
class TLSClientHelloNew(ssl.TLSClientHello):
def unpack(self, buf):
Packet.unpack(self, buf)
# now session, cipher suites, extensions are in self.data
self.session_id, pointer = ssl.parse_variable_array(self.data, 1)
# handle ciphersuites
self.ciphersuites, parsed = ssl.parse_variable_array(self.data[pointer:], 2)
pointer += parsed
self.num_ciphersuites = int(len(self.ciphersuites) / 2)
# check len(ciphersuites) % 2 == 0 ?
# compression methods
compression_methods, parsed = ssl.parse_variable_array(self.data[pointer:], 1)
pointer += parsed
self.num_compression_methods = parsed - 1
# self.compression_methods = map(ord, compression_methods) # for python2
# ******************************************************************
self.compression_methods = compression_methods # for python3 !********************************************
# Parse extensions if present
if len(self.data[pointer:]) >= 6:
self.extensions = ssl.parse_extensions(self.data[pointer:])
class FlowDirection(object):
OUT = 1
IN = 2
UNKNOWN = 3
class Extension(object):
"""
Encapsulates TLS extensions.
"""
def __init__(self, payload):
self._type_id, payload = unpacker('H', payload)
self._type_name = pretty_name('extension_type', self._type_id)
self._length, payload = unpacker('H', payload)
# Data contains an array with the 'raw' contents
self._data = None
# pretty_data contains an array with the 'beautified' contents
self._pretty_data = None
if self._length > 0:
self._data, self._pretty_data = parse_extension(payload[:self._length],
self._type_name)
def __str__(self):
# Prints out data array in textual format
return '{0}: {1}'.format(self._type_name, self._pretty_data)
class OP:
CHECK_TLS_PACKET = 1
MERGE_TLS_PACKET = 2
def analyze_packet(_timestamp, packet, nth, op):
"""
Main analysis loop for pcap.
"""
eth = dpkt.ethernet.Ethernet(packet)
if isinstance(eth.data, dpkt.ip.IP):
#print("timestamp:", _timestamp, "debug")
parse_ip_packet(eth.data, nth, _timestamp, op)
def parse_arguments():
"""
Parses command line arguments.
"""
global filename
global verboseprint
global output_file
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''\
Captures, parses and shows TLS Handshake packets
Copyright (C) 2015 Peter Mosmans [Go Forward]
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.'''))
parser.add_argument('-r', '--read', metavar='FILE', action='store',
help='read from file (don\'t capture live packets)')
parser.add_argument('-v', '--verbose', action='store_true',
help='increase output verbosity')
parser.add_argument('-o', '--output', action='store',
help='output file')
args = parser.parse_args()
if args.verbose:
def verboseprint(*args):
print('# ', end="")
for arg in args:
print(arg, end="")
print()
else:
verboseprint = lambda *a: None
filename = None
if args.read:
filename = args.read
output_file = "demo_output.txt"
if args.output:
output_file = args.output
def parse_ip_packet(ip, nth, timestamp, op):
"""
Parses IP packet.
"""
sys.stdout.flush()
if isinstance(ip.data, dpkt.tcp.TCP) and len(ip.data.data):
# print("****TCP packet found****", "tcp payload:", list(ip.data.data))
parse_tcp_packet(ip, nth, timestamp, op)
# TLS version
def check_tls_version(data):
version2 = False
version3 = False
if len(data) > 2:
# ssl
tmp = struct.unpack("bbb", data[0:3])
else:
return version2, version3
# SSL v2. OR Message body too short.
if (tmp[0] & 0x80 == 0x80) and (((tmp[0] & 0x7f) << 8 | tmp[1]) > 9):
version2 = True
elif (tmp[1] != 3) or (tmp[2] > 3): # 版本,SSL 3.0 or TLS 1.0, 1.1 and 1.2
version3 = False
elif(tmp[0] < 20) or (tmp[0] > 23): # 类型错误
pass
else:
version3 = True
return version2, version3
def parse_tcp_packet(ip, nth, timestamp, op):
"""
Parses TCP packet.
"""
stream = ip.data.data
""" refer: The Transport Layer Security (TLS) Protocol URL:https://tools.ietf.org/html/rfc5246
enum {
change_cipher_spec(20), alert(21), handshake(22),
application_data(23), (255)
} ContentType;
"""
# ssl flow
"""
version2, version3 = check_tls_version(stream)
if not version2 and not version3:
return
"""
if nth == 59158:
#print("59162 coming....", list(stream))
# print("62648 coming....", list(stream))
print("59158 coming....", list(stream))
# if (stream[0]) not in {20, 21, 22, 23}:
# return
if stream[0] in {20, 21, 22}:
parse_tls_records(ip, stream, nth)
record_recent_data_flow(ip, stream, nth, timestamp)
# connection = '{0}:{1}-{2}:{3}'.format(socket.inet_ntoa(ip.src),
# ip.data.sport,
# socket.inet_ntoa(ip.dst),
# ip.data.dport)
# print("*"*99)
# print("23 SSL application data:{} 10 sample:{} nth:{}".format(connection, list(stream[:10]), nth))
# buffer record recent ssl flow from handshake to app data TODO precise description
# record_recent_data_flow(ip, stream, nth, timestamp)
def has_application_data(flow_list):
for flow in flow_list:
if flow[0] == 23:
return True
return False
def record_recent_data_flow(ip, stream, nth, timestamp):
global buffer
src_ip = '{0}:{1}'.format(socket.inet_ntoa(ip.src), ip.data.sport)
dst_ip = '{0}:{1}'.format(socket.inet_ntoa(ip.dst), ip.data.dport)
"""
if src_ip in '192.168.56.114:1110-203.208.39.223:443' or dst_ip in '192.168.56.114:1110-203.208.39.223:443':
# if src_ip in '192.168.56.114:1440-217.69.139.244:443' or dst_ip in '192.168.56.114:1440-217.69.139.244:443':
print("debug")
"""
if "{}-{}".format(src_ip, dst_ip) in client_hello_set: # OUT flow
connection_key = "{}-{}".format(src_ip, dst_ip)
"""
if connection_key == '192.168.56.114:1110-203.208.39.223:443':
# if connection_key == '192.168.56.114:1440-217.69.139.244:443':
print("check data")
"""
buffer[connection_key]["out"].append((stream[0], nth, timestamp, stream))
elif "{}-{}".format(dst_ip, src_ip) in client_hello_set: # IN flow
connection_key = "{}-{}".format(dst_ip, src_ip)
"""
# if connection_key == '192.168.56.114:1440-217.69.139.244:443':
if connection_key == '192.168.56.114:1110-203.208.39.223:443':
print("check data")
"""
buffer[connection_key]["in"].append((stream[0], nth, timestamp, stream))
"""
flow_dir = FlowDirection.UNKNOWN
connection_key = ""
# identify flow direction
if dst_ip in ssl_servers_with_client_hello: # OUT flow
flow_dir = FlowDirection.OUT
connection_key = "{}-{}".format(src_ip, dst_ip)
elif src_ip in ssl_servers_with_client_hello: # IN flow
flow_dir = FlowDirection.IN
connection_key = "{}-{}".format(dst_ip, src_ip)
else:
print("Warning: not find in ssl_servers_with_client_hello! src_ip:{} dst_ip:{}".format(src_ip, dst_ip))
print("dump this NOT useful data!!! 10:", list(stream[:10]), "nth:", nth)
return
if connection_key in buffer: # buffer has only data with client hello
if flow_dir == FlowDirection.OUT:
buffer[connection_key]["out"].append((stream[0], nth, timestamp, list(stream)))
elif flow_dir == FlowDirection.IN:
buffer[connection_key]["in"].append((stream[0], nth, timestamp, list(stream)))
else:
print("Warning: not find client hello. src_ip:{} dst_ip:{} {}".format(src_ip, dst_ip, connection_key))
print("dump this NOT useful data!!! 10:", list(stream[:10]), "nth:", nth)
if src_ip == "166.111.5.193:3390":
print("check debug")
print(ssl_servers_with_client_hello)
print(src_ip in ssl_servers_with_client_hello)
print(dst_ip in ssl_servers_with_client_hello)
"""
def add_to_complete_ssl_flow(connection_key, buffer):
# We want SSL flow data from ***ClientHello*** to ***AppData***
"""
if connection_key == '192.168.56.114:1110-203.208.39.223:443':
# if connection_key == '192.168.56.114:1440-217.69.139.244:443':
print("check data")
"""
global ssl_flows
assert connection_key in client_hello_set
server = connection_key.split("-")[1]
assert server in ssl_servers_with_client_hello
print("**** add to wanted flow *** {}".format(connection_key))
ssl_flows.append({"connection": connection_key, "payload": dict(buffer[connection_key])}) #, "certs": list(ssl_servers_certs[connection_key]) if connection_key in ssl_servers_certs else []})
# def add_to_buffer(ip, partial_stream):
# """
# Adds partial_stream of ip to global stream buffer.
# """
# global streambuffer
# connection = '{0}:{1}-{2}:{3}'.format(socket.inet_ntoa(ip.src),
# ip.data.sport,
# socket.inet_ntoa(ip.dst),
# ip.data.dport)
# streambuffer[connection] = partial_stream
# verboseprint('Added {0} bytes (seq {1}) to streambuffer for {2}'.
# format(len(partial_stream), ip.data.seq, connection))
def client_hello_ssl_v2(data):
tmp = struct.unpack("bbb", data[0:3])
if tmp[2] == 0x01:
# Client_hello.
lens = (tmp[0] & 0x7f) << 8 | tmp[1]
cipher_specs_size = (data[5] << 8) | data[6]
if cipher_specs_size % 3 != 0: # Cipher specs not a multiple of 3 bytes.
return 0
session_id_len = (data[7] << 8) | data[8]
random_size = (data[9] << 8) | data[10]
if lens < (9 + cipher_specs_size + session_id_len + random_size):
return 0
return lens + 2
# if tmp[2] == 0x00: # ERROR.
# ty = 0
if tmp[2] == 0x04:
# Server hello, Not processing
lens = (tmp[0] & 0x7f) << 8 | tmp[1]
return lens+2
return 0
def parse_tls_records(ip, stream, nth=None, need_certs=False):
is_tls_v2, version3 = check_tls_version(stream)
"""
Parses TLS Records.
TLS Handshake
+-----+ +-----+
| | | |
| | ClientHello | |
| o----------------------------> | |
| | | |
CLIENT | | ServerHello | | SERVER
| | [Certificate] | |
| | [ServerKeyExchange] | |
| | [CertificateRequest] | |
| | ServerHelloDone | |
| | <----------------------------o |
| | | |
| | [Certificate] | |
| | ClientKeyExchange | |
| | [CertificateVerify] | |
| | ** ChangeCipherSpec ** | |
| | Finished | |
| o----------------------------> | |
| | | |
| | ** ChangeCipherSpec ** | |
| | Finished | |
| | <----------------------------o |
| | | |
+-----+ +-----+
Optional messages
--------------------------------------------------------------------------------------------
Certificate (server) needed with all key exchange algorithms, except for anonymous ones.
ServerKeyExchange needed in some cases, like Diffie-Hellman key exchange algorithm.
CertificateRequest needed if Client authentication is required.
Certificate (client) needed in response to CertificateRequest by the server.
CertificateVerify needed if client Certificate message was sent.
"""
if nth:
print("*"*99)
print("20 21 22 23 ??? SSL tcp payload(10):", list(stream[:10]), "nth:", nth)
assert (stream[0]) in {20, 21, 22, 23}
# print("Found reassembled segments data: {}".format(stream[0]))
#print("SSL tcp payload:", list(stream))
try:
#records, bytes_used = dpkt.ssl.tls_multi_factory(stream)
records = []
if is_tls_v2:
length = client_hello_ssl_v2(stream)
print("SSv2 tls found. extra len:{}".format(length))
records, bytes_used = tls_multi_factory_new(stream[length:])
else:
records, bytes_used = tls_multi_factory_new(stream)
except dpkt.ssl.SSL3Exception as exception:
verboseprint('exception while parsing TLS records: {0}'.
format(exception))
return
connection = '{0}:{1}-{2}:{3}'.format(socket.inet_ntoa(ip.src),
ip.data.sport,
socket.inet_ntoa(ip.dst),
ip.data.dport)
global encrypted_streams
# if bytes_used != len(stream):
# add_to_buffer(ip, stream[bytes_used:])
if len(records) > 1:
print("SSL stream has many({}) records!".format(len(records)))
for record in records:
# record_type = pretty_name('tls_record', record.type)
# print('captured TLS record type {0}'.format(record_type))
# if record_type == 'handshake':
if record.type == 0x16: # HandShake
parse_tls_handshake(ip, record.data, record.length, need_certs)
if record.type == 0x15: # Alert
# if record_type == 'alert':
parse_alert_message(connection, record.data)
# The change cipher spec protocol is used to change the encryption being used by the client and server. It is normally used as part of the handshake process to switch to symmetric key encryption. The CCS protocol is a single message that tells the peer that the sender wants to change to a new set of keys, which are then created from information exchanged by the handshake protocol.
# SSL修改密文协议的设计目的是为了保障SSL传输过程的安全性,因为SSL协议要求客户端或服务器端每隔一段时间必须改变其加解密参数。当某一方要改变其加解密参数时,就发送一个简单的消息通知对方下一个要传送的数据将采用新的加解密参数,也就是要求对方改变原来的安全参数。
# if record_type == 'change_cipher': # Since the Change Cipher Spec message modifies encryption settings, a new record should begin immediately afterwards, so that the new settings are immediately applied (in particular, it is crucial for security that the Finished message uses the new encryption and MAC).
if record.type == 0x14: # Change Cipher Spec
print('[+] Change cipher - encrypted messages from now on for {0}'.format(connection))
encrypted_streams.append(connection)
if record.type == 0x17:
# application data
pass
sys.stdout.flush()
def parse_tls_handshake(ip, data, record_length, need_certs=False):
"""
Parses TLS Handshake message contained in data according to their type.
"""
connection = '{0}:{1}-{2}:{3}'.format(socket.inet_ntoa(ip.src),
ip.data.sport,
socket.inet_ntoa(ip.dst),
ip.data.dport)
global encrypted_streams
if connection in encrypted_streams:
print("*** MUST have cipher change flow first!!! ***")
print('[+] Encrypted handshake message between {0}'.format(connection))
return
else:
handshake_type = ord(data[:1])
verboseprint('First 10 bytes {0}'.
format(hexlify(data[:10])))
if handshake_type == 4:
print('[#] New Session Ticket is not implemented yet')
return
total_len_consumed = 0
while total_len_consumed < record_length:
if total_len_consumed > 0:
print("What the fuck is it???? OK, I need parse more data. Sorry....")
buffers = data[total_len_consumed:]
try:
handshake = dpkt.ssl.TLSHandshake(buffers)
except dpkt.ssl.SSL3Exception as exception:
verboseprint('exception while parsing TLS handshake record: {0}'.
format(exception))
except dpkt.dpkt.NeedData as exception:
verboseprint('exception while parsing TLS handshake record: {0}'.
format(exception))
try:
ch = handshake.data
except UnboundLocalError as exception:
verboseprint('exception while parsing TLS handshake record: {0}'.
format(exception))
break
total_len_consumed += handshake.length+ 4
# ******** client is source IP, server is destination IP *******
client = '{0}:{1}'.format(socket.inet_ntoa(ip.src), ip.data.sport)
server = '{0}:{1}'.format(socket.inet_ntoa(ip.dst), ip.data.dport)
if handshake.type == 0:
# ssl_servers_with_handshake.add(server)
print('<- Hello Request {0} <- {1}'.format(client, server))
elif handshake.type == 1:
ssl_servers_with_client_hello.add(server)
global client_hello_set
global buffer
connection = "{}-{}".format(client, server)
"""
if connection == "192.168.56.114:1110-203.208.39.223:443":
print("192.168.56.114:1110-203.208.39.223:443 debug")
"""
if connection in client_hello_set:
print("#"*99)
print("Client Hello found again! {}, add into wanted data!".format(connection))
add_to_complete_ssl_flow(connection, buffer)
else:
client_hello_set.add(connection)
print(' -> ClientHello {0} -> {1}'.format(client, server))
# init buffer
buffer[connection] = {"out":[], "in":[]}
# if connection == "185.9.34.103:58037-166.111.5.193:3390":
# print("check debug")
# print(buffer.keys())
# print(ssl_servers_with_client_hello)
if need_more_parse:
parse_client_hello(handshake)
elif handshake.type == 2:
# ssl_servers_with_handshake.add(client)
print('<- ServerHello {1} <- {0}'.format(client, server))
if need_more_parse:
parse_server_hello(handshake.data)
elif handshake.type == 11: # TLSCertificate
# ssl_servers_with_handshake.add(client)
print('<- Certificate {1} <- {0}'.format(client, server))
if need_certs:
hd_data = handshake.data
assert isinstance(hd_data, dpkt.ssl.TLSCertificate)
certs = []
#print(dir(hd))
for i in range(len(hd_data.certificates)):
# print("hd.certificates[i]:", hd_data.certificates[i])
cert = x509.Certificate.load(hd_data.certificates[i])
sha = cert.sha256_fingerprint.replace(" ", "")
# print(sha)
certs.append(sha)
connection_key = "{}-{}".format(server, client)
ssl_servers_certs[connection_key] = certs
print("*"*66)
print("certs all here:", certs)
elif handshake.type == 12:
# ssl_servers_with_handshake.add(client)
print('<- ServerKeyExchange {1} <- {0}'.format(server, client))
elif handshake.type == 13:
# ssl_servers_with_handshake.add(client)
print('<- CertificateRequest {1} <- {0}'.format(client, server))
elif handshake.type == 14:
# ssl_servers_with_handshake.add(client)
print('<- ServerHelloDone {1} <- {0}'.format(client, server))
elif handshake.type == 15:
# ssl_servers_with_handshake.add(server)
print(' -> CertificateVerify {0} -> {1}'.format(client, server))
elif handshake.type == 16:
# ssl_servers_with_handshake.add(server)
print(' -> ClientKeyExchange {0} -> {1}'.format(client, server))
elif handshake.type == 20:
# ssl_servers_with_handshake.add(server)
print(' -> Finished {0} -> {1}'.format(client, server))
def get_tls_certs(stream):
if stream is None:
return []
is_tls_v2, version3 = check_tls_version(stream)
if (stream[0]) not in {20, 21, 22, 23}:
print("Data weird!!! check again!!! TODO!!!", list(stream[:30]))
return []
# print("Found reassembled segments data: {}".format(stream[0]))
#print("SSL tcp payload:", list(stream))
try:
#records, bytes_used = dpkt.ssl.tls_multi_factory(stream)
records = []
if is_tls_v2:
length = client_hello_ssl_v2(stream)
print("SSv2 tls found. extra len:{}".format(length))
records, bytes_used = tls_multi_factory_new(stream[length:])
else:
records, bytes_used = tls_multi_factory_new(stream)
except dpkt.ssl.SSL3Exception as exception:
verboseprint('exception while parsing TLS records: {0}'.
format(exception))
return []
if len(records) > 1:
print("SSL stream has many({}) records!".format(len(records)))
ans = []
for record in records:
# record_type = pretty_name('tls_record', record.type)
# print('captured TLS record type {0}'.format(record_type))
# if record_type == 'handshake':
if record.type == 0x16: # HandShake
certs = parse_tls_certs(record.data, record.length)
ans += certs
if record.type == 0x17:
# application data
pass
sys.stdout.flush()
return ans
def parse_tls_certs(data, record_length):
"""
Parses TLS Handshake message contained in data according to their type.
"""
ans = []
handshake_type = ord(data[:1])
if handshake_type == 4:
print('[#] New Session Ticket is not implemented yet')
return ans
total_len_consumed = 0
while total_len_consumed < record_length:
if total_len_consumed > 0:
print("What the fuck is it???? OK, I need parse more data. Sorry....")
buffers = data[total_len_consumed:]
try:
handshake = dpkt.ssl.TLSHandshake(buffers)
except dpkt.ssl.SSL3Exception as exception:
verboseprint('exception while parsing TLS handshake record: {0}'.
format(exception))
break
except dpkt.dpkt.NeedData as exception:
verboseprint('exception while parsing TLS handshake record: {0}'.
format(exception))
break
try:
ch = handshake.data
except UnboundLocalError as exception:
verboseprint('exception while parsing TLS handshake record: {0}'.
format(exception))
break
total_len_consumed += handshake.length+ 4
if handshake.type == 11: # TLSCertificate
# ssl_servers_with_handshake.add(client)
hd_data = handshake.data
assert isinstance(hd_data, dpkt.ssl.TLSCertificate)
certs = []
#print(dir(hd))
for i in range(len(hd_data.certificates)):
# print("hd.certificates[i]:", hd_data.certificates[i])
cert = x509.Certificate.load(hd_data.certificates[i])
sha = cert.sha256_fingerprint.replace(" ", "")
# print(sha)
certs.append(sha)
ans += certs
return ans
def unpacker(type_string, packet):
"""
Returns network-order parsed data and the packet minus the parsed data.
"""
if type_string.endswith('H'):
length = 2
if type_string.endswith('B'):
length = 1
if type_string.endswith('P'): # 2 bytes for the length of the string
length, packet = unpacker('H', packet)
type_string = '{0}s'.format(length)
if type_string.endswith('p'): # 1 byte for the length of the string
length, packet = unpacker('B', packet)
type_string = '{0}s'.format(length)
data = struct.unpack('!' + type_string, packet[:length])[0]
if type_string.endswith('s'):
#data = ''.join(data)
data = data
return data, packet[length:]
def parse_server_hello(handshake):
"""
Parses server hello handshake.
"""
payload = handshake.data
session_id, payload = unpacker('p', payload)
cipher_suite, payload = unpacker('H', payload)
print('[*] Cipher: {0}'.format(pretty_name('cipher_suites',
cipher_suite)))
compression, payload = unpacker('B', payload)
print('[*] Compression: {0}'.format(pretty_name('compression_methods',
compression)))
extensions = parse_extensions(payload)
for extension in extensions:
print(' {0}'.format(extension))
def parse_client_hello(handshake):
hello = handshake.data
compressions = []
cipher_suites = []
extensions = []
payload = handshake.data.data
session_id, payload = unpacker('p', payload)
cipher_suites, pretty_cipher_suites = parse_extension(payload, 'cipher_suites')
verboseprint('TLS Record Layer Length: {0}'.format(len(handshake)))
verboseprint('Client Hello Version: {0}'.format(dpkt.ssl.ssl3_versions_str[hello.version]))
verboseprint('Client Hello Length: {0}'.format(len(hello)))
verboseprint('Session ID: {0}'.format(hexlify(session_id)))
print('[*] Ciphers: {0}'.format(pretty_cipher_suites))
# consume 2 bytes for each cipher suite plus 2 length bytes
payload = payload[(len(cipher_suites) * 2) + 2:]
compressions, pretty_compressions = parse_extension(payload, 'compression_methods')
print('[*] Compression methods: {0}'.format(pretty_compressions))
# consume 1 byte for each compression method plus 1 length byte
payload = payload[len(compressions) + 1:]
extensions = parse_extensions(payload)
for extension in extensions:
print(' {0}'.format(extension))
def parse_extensions(payload):
"""
Parse data as one or more TLS extensions.
"""
extensions = []
#print("payload:", payload)
if len(payload) <= 0:
return []
print('[*] Extensions:')
extensions_len, payload = unpacker('H', payload)
verboseprint('Extensions Length: {0}'.format(extensions_len))
while len(payload) > 0:
extension = Extension(payload)
extensions.append(extension)
# consume 2 bytes for type and 2 bytes for length
payload = payload[extension._length + 4:]
return extensions
def parse_alert_message(connection, payload):
"""
Parses a TLS alert message.
"""
global encrypted_streams
verboseprint(hexlify(payload))
if connection in encrypted_streams:
print('[+] Encrypted TLS Alert message between {0}'.format(connection))
# presume the alert message ended the encryption
encrypted_streams.remove(connection)
else:
alert_level, payload = unpacker('B', payload)
alert_description, payload = unpacker('B', payload)
print('[+] TLS Alert message between {0}: {1} {2}'.
format(connection, pretty_name('alert_level', alert_level),
pretty_name('alert_description', alert_description)))
def parse_extension(payload, type_name):
"""
Parses an extension based on the type_name.
Returns an array of raw values as well as an array of prettified values.
"""
entries = []
pretty_entries = []
format_list_length = 'H'
format_entry = 'B'
list_length = 0
if type_name == 'elliptic_curves':
format_list_length = 'H'
format_entry = 'H'
if type_name == 'ec_point_formats':
format_list_length = 'B'
if type_name == 'compression_methods':
format_list_length = 'B'
format_entry = 'B'
if type_name == 'heartbeat':
format_list_length = 'B'
format_entry = 'B'
if type_name == 'next_protocol_negotiation':
format_entry = 'p'
else:
if len(payload) > 1: # contents are a list
list_length, payload = unpacker(format_list_length, payload)
verboseprint('type {0}, list type is {1}, number of entries is {2}'.
format(type_name, format_list_length, list_length))
if type_name == 'status_request' or type_name == 'status_request_v2':
_type, payload = unpacker('B', payload)
format_entry = 'H'
if type_name == 'padding':
return payload, hexlify(payload)
if type_name == 'SessionTicket_TLS':
return payload, hexlify(payload)
if type_name == 'cipher_suites':
format_entry = 'H'
if type_name == 'supported_groups':
format_entry = 'H'
if type_name == 'signature_algorithms':
format_entry = 'H'
if type_name == 'cipher_suites':
format_entry = 'H'
if list_length:
payload = payload[:list_length]
while (len(payload) > 0):
if type_name == 'server_name':
_type, payload = unpacker('B', payload)
format_entry = 'P'
if type_name == 'application_layer_protocol_negotiation':
format_entry = 'p'
entry, payload = unpacker(format_entry, payload)
entries.append(entry)
if type_name == 'signature_algorithms':
pretty_entries.append('{0}-{1}'.
format(pretty_name
('signature_algorithms_hash',
entry >> 8),
pretty_name('signature_algorithms_signature',
entry % 256)))
else:
if format_entry.lower() == 'p':
pretty_entries.append(entry)
else:
pretty_entries.append(pretty_name(type_name, entry))
return entries, pretty_entries
def pretty_name(name_type, name_value):
"""Returns the pretty name for type name_type."""
if name_type in PRETTY_NAMES:
if name_value in PRETTY_NAMES[name_type]:
name_value = PRETTY_NAMES[name_type][name_value]
else:
name_value = '{0}: unknown value {1}'.format(name_value, name_type)
else:
name_value = 'unknown type: {0}'.format(name_type)
return name_value
def main():
"""
Main program loop.
"""
global cap_filter
global interface
parse_arguments()
if filename:
read_file(filename)
def process_left_buffer():
print("********process_left_buffer********")
global buffer
for connection_key in buffer:
add_to_complete_ssl_flow(connection_key, buffer)
def read_file(filename):
try:
with open(filename, 'rb') as f:
capture = dpkt.pcap.Reader(f)
i = 1
for timestamp, packet in capture:
analyze_packet(timestamp, packet, i, OP.CHECK_TLS_PACKET)
print(i, timestamp)
i += 1
process_left_buffer()
print("*"*99)
print("all ssl flow with client hello are here!!!")
print("*"*99)
print(client_hello_set)
wanted_ssl_flow = []
for flow in ssl_flows:
print("*"*99)
print("connection:", flow["connection"])
# if flow["connection"] == '192.168.56.114:1440-217.69.139.244:443':
# if flow["connection"] == '192.168.56.114:1110-203.208.39.223:443':
# print("check data")
in_payload = None
# for tag, nth, timestamp, payload in flow["payload"]["out"]:
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! out data has no certs !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
for tag, nth, timestamp, payload in flow["payload"]["in"]:
if in_payload is None:
in_payload = payload
else:
in_payload += payload
certs = get_tls_certs(in_payload)
flow["certs"] = certs
# change to bytes list
flow["payload"]["out"] = [(tag, nth, timestamp, list(payload)) for tag, nth, timestamp, payload in flow["payload"]["out"]]
flow["payload"]["in"] = [(tag, nth, timestamp, list(payload)) for tag, nth, timestamp, payload in flow["payload"]["in"]]
if certs:
print("-"*99)
print("payload out:", [(tag, nth, timestamp, (payload[:10])) for tag, nth, timestamp, payload in flow["payload"]["out"]])
print("len:", len([(tag, nth, timestamp, (payload[:10])) for tag, nth, timestamp, payload in flow["payload"]["in"]]))
print("payload in:", [(tag, nth, timestamp, (payload[:10])) for tag, nth, timestamp, payload in flow["payload"]["in"]])
print("certs:", flow["certs"])
wanted_ssl_flow.append(flow)
print("-"*99)
global output_file
if wanted_ssl_flow:
with open(output_file, "wb") as f:
# json.dump(wanted_ssl_flow, f)
pickle.dump(wanted_ssl_flow, f)
print("total flow:", len(wanted_ssl_flow))
except Exception as e:
print('could not parse {0}, error:{}'.format(filename, e))
if __name__ == "__main__":
main()
cmd = 'python extract_tls_flow7.py -vr "{}" -o black/"{}.txt" >logs/black/"{}.log"'.format(filename, os.path.basename(filename), os.path.basename(filename))
pcap文件 输出tcp payload和证书ID(叶子证书和根证书)