Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SSLv2 in Python Script

See original GitHub issue

When a piece of malware issues a SSLv2 client hello, ja3.py misses it. Can ja3 apply to SSLv2 hellos? I know there are no extensions, but that could just be blank.

Issue Analytics

State:
Created 5 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

Macr0phag3commented, Jan 10, 2020

@0xdf-0xdf

i met the same problem, so i use scapy to make a new tool:

https://github.com/Macr0phag3/ja3box

it seems to work well

0reactions

p-l-commented, Jan 17, 2019

For probe.pcap (https://www.cloudshark.org/captures/7796ea1bb3f3), which is the shortest, I got in ssl.log:

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       version cipher  curve   server_name     resumed last_alert      next_protocol  established     cert_chain_fuids        client_cert_chain_fuids subject issuer  client_subject  client_issuer   validation_status       ivreja3c      ivreja3s
#types  time    string  addr    port    addr    port    string  string  string  string  bool    string  string  bool    vector[string]  vector[string]  stringstring   string  string  string  string  string
1468756951.170231       Cir6d52ztQSFX2hVSg      150.255.241.154 30283   172.246.47.121  443     TLSv10  TLS_RSA_WITH_AES_128_CBC_SHA    -       -       F     --       T       FMTr7TG8nFG58ngR5       (empty) C=US,OU=krrr-work,O=krrr-work,CN=krrr-work      C=US,OU=krrr-work,O=krrr-work,CN=krrr-work      -       -     self signed certificate  2,57-56-53-22-19-10-458944-51-50-47-196736-5-4-65664-21-18-9-393280-20-17-8-6-262272-3-131200,,,        769,47,
#close  2019-01-17-18-11-56

So I have both a client and server JA3 fingerprint.

NB: I use IVRE’s version of the JA3 script, but the original should work just as well. This only explains the fact that I have ivreja3{c,s} field names and that I get the raw signatures (with IVRE the MD5 are not computed by Bro, so that we can use the raw value or the MD5 hash).

Both signature start with 2, which is OK for SSLv2 I guess.

Bro version 2.6.1 has been used here BTW.

Update I missed the “in Python Script”, I am not even able to read an issue title. So this comment is probably not helpful, but in case it helps anyway: that should work with Bro.

Top Results From Across the Web

ssl — TLS/SSL wrapper for socket objects — Python 3.11.1 ...

This module provides access to Transport Layer Security (often known as “Secure Sockets Layer”) encryption and peer authentication facilities for network ...

Python SSL and TLS security

Python 2.7 and 3.5-3.7: ... [Python-Dev] SSL certificates recommendations for downstream python packagers ... SSLv2 now black listed; SSLv3 now black listed ...

How To Test SSLv2 DROWN Attack Vulnerability Using ...

How To Test SSLv2 DROWN Attack Vulnerability Using Python Script (And Solution to Fix the DROWN Attack on Apache and NginX).

SSL module in Python: stay secure! - Codiga

Secure Sockets Layer (SSL) is a protocol now deprecated (since 2011 for SSLv2 and 2015 for SSLv3). Since then, the TLS protocol has...

How to check a website for SSLv2 or SSLv3? - Stack Overflow

To check the TLS protocol version that was negotiated in your connection you can call oscon.get_protocol_version_name() .