Fingerprint TLS implementations using state machines inferred by
StateLearner. StateLearner can
learn state machines for (in this case TLS) implementations using a black-box
approach. Different implementations can have a different state machine, which
makes it possible to differentiate them. By combining these state machines into
a single tree, and then probing a live implementation, tlsprint makes it
possible to fingerprint the TLS implementation running on the target.
Install the latest release from PyPi:
pip install tlsprintNote: This step is optional, a model.p is included in the distribution,
which contains a model created using 27 unique state machines, representing 283
different TLS implementations. For the full list of implementations, check the
models directory in the repository.
After state machines are inferred using StateLearner, run
tlsprint learn <statelearner_output_dir> model.pto merge all models together into a single
tree. This tree is returned as a pickled networkx graph, and is required for
the identify step.
When using the default model, identifying the TLS implementation on a target can be done be running
tlsprint identify <target>This defaults to port 443, a custom port can be specified by adding
--target-port <port>.
The command returns a list of possible implementations. All these
implementations share the same model, meaning tlsprint cannot further specify
the exact implementation.
Passing --graph-dir <output> to the identify command, will write DOT files
for all intermediate versions of the model tree. This can be insightful to
understand what tlsprint is doing.
If you learned a custom model using the learn command, you can override the
default model using --model <filename>.