devbox
知新_RL
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

python dpkt解析ssl流

作者:知新_RL | 2024-03-06 18:48:03

dpkt dpkt.sll.sll内容编码

用法:python extract_tls_flow.py -vr  white_pcap/11/2018-01-10_13-05-09_2.pcap  -o pcap_ssl_flow.txt  >log.txt

python dpkt解析ssl流,记录含有client hello到app data的完整ssl 流,同时记录ssl证书:

  1. #!/usr/bin/env python
  2.  
  3. from __future__ import absolute_import
  4. from __future__ import print_function
  5. import argparse
  6. from binascii import hexlify
  7. import socket
  8. import struct
  9. import json
  10. import sys
  11. import textwrap
  12. import dpkt
  13. from constants import PRETTY_NAMES
  14. from asn1crypto import x509
  15.  
  16.  
  17. global streambuffer
  18. streambuffer = {}
  19. global encrypted_streams
  20. encrypted_streams = [] # change_cipher
  21. global ssl_servers_certs
  22. ssl_servers_certs = {}
  23. global ssl_servers_with_client_hello
  24. ssl_servers_with_client_hello = set()
  25. global client_hello_set
  26. client_hello_set = set()
  27. global ssl_flows
  28. ssl_flows = []
  29. global buffer
  30. buffer = {}
  31. need_more_parse = False
  32.  
  33.  
  34. class FlowDirection(object):
  35.     OUT = 1
  36.     IN = 2
  37.     UNKNOWN = 3
  38.  
  39.  
  40. class Extension(object):
  41.     """
  42.     Encapsulates TLS extensions.
  43.     """
  44.     def __init__(self, payload):
  45.         self._type_id, payload = unpacker('H', payload)
  46.         self._type_name = pretty_name('extension_type', self._type_id)
  47.         self._length, payload = unpacker('H', payload)
  48.         # Data contains an array with the 'raw' contents
  49.         self._data = None
  50.         # pretty_data contains an array with the 'beautified' contents
  51.         self._pretty_data = None
  52.         if self._length > 0:
  53.             self._data, self._pretty_data = parse_extension(payload[:self._length],
  54.                                                             self._type_name)
  55.  
  56.     def __str__(self):
  57.         # Prints out data array in textual format
  58.         return '{0}: {1}'.format(self._type_name, self._pretty_data)
  59.  
  60.  
  61. def analyze_packet(_timestamp, packet, nth):
  62.     """
  63.     Main analysis loop for pcap.
  64.     """
  65.     eth = dpkt.ethernet.Ethernet(packet)
  66.     if isinstance(eth.data, dpkt.ip.IP):
  67.         #print("timestamp:", _timestamp, "debug")
  68.         parse_ip_packet(eth.data, nth, _timestamp)
  69.  
  70.  
  71. def parse_arguments():
  72.     """
  73.     Parses command line arguments.
  74.     """
  75.     global filename
  76.     global verboseprint
  77.     global output_file
  78.     parser = argparse.ArgumentParser(
  79.             formatter_class=argparse.RawDescriptionHelpFormatter,
  80.             description=textwrap.dedent('''\
  81. Captures, parses and shows TLS Handshake packets
  82. Copyright (C) 2015 Peter Mosmans [Go Forward]
  83. This program is free software: you can redistribute it and/or modify
  84. it under the terms of the GNU General Public License as published by
  85. the Free Software Foundation, either version 3 of the License, or
  86. (at your option) any later version.'''))
  87.     parser.add_argument('-r', '--read', metavar='FILE', action='store',
  88.                         help='read from file (don\'t capture live packets)')
  89.     parser.add_argument('-v', '--verbose', action='store_true',
  90.                         help='increase output verbosity')
  91.     parser.add_argument('-o', '--output', action='store',
  92.                         help='output file')
  93.     args = parser.parse_args()
  94.  
  95.     if args.verbose:
  96.         def verboseprint(*args):
  97.             print('# ', end="")
  98.             for arg in args:
  99.                 print(arg, end="")
  100.             print()
  101.     else:
  102.         verboseprint = lambda *a: None
  103.     filename = None
  104.     if args.read:
  105.         filename = args.read
  106.     output_file = "demo_output.txt"
  107.     if args.output:
  108.         output_file = args.output
  109.  
  110.  
  111.  
  112. def parse_ip_packet(ip, nth, timestamp):
  113.     """
  114.     Parses IP packet.
  115.     """
  116.     sys.stdout.flush()
  117.     if isinstance(ip.data, dpkt.tcp.TCP) and len(ip.data.data):
  118.         # print("****TCP packet found****", "tcp payload:", list(ip.data.data))
  119.         parse_tcp_packet(ip, nth, timestamp)
  120.  
  121.  
  122. def parse_tcp_packet(ip, nth, timestamp):
  123.     """
  124.     Parses TCP packet.
  125.     """
  126.     stream = ip.data.data
  127.     """ refer: The Transport Layer Security (TLS) Protocol URL:https://tools.ietf.org/html/rfc5246
  128.     enum {
  129.           change_cipher_spec(20), alert(21), handshake(22),
  130.           application_data(23), (255)
  131.       } ContentType;
  132.     """
  133.     # ssl flow
  134.     if (stream[0]) in {20, 21, 22, 23}:
  135.         if (stream[0]) in {20, 21, 22}:
  136.             parse_tls_records(ip, stream, nth)
  137.         else:
  138.             connection = '{0}:{1}-{2}:{3}'.format(socket.inet_ntoa(ip.src),
  139.                                           ip.data.sport,
  140.                                           socket.inet_ntoa(ip.dst),
  141.                                           ip.data.dport)
  142.             print("*"*99)
  143.             print("23 SSL application data:{} 10 sample:{} nth:{}".format(connection, list(stream[:10]), nth))
  144.         # buffer record recent ssl flow from handshake to app data  TODO precise description
  145.         record_recent_data_flow(ip, stream, nth, timestamp)
  146.  
  147.  
  148. def has_application_data(flow_list):
  149.     for flow in flow_list:
  150.         if flow[0] == 23:
  151.             return True
  152.     return Fals
声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号