extract ja3(s) when sniffing or from a pcap (or pcapng ...).
about ja3(s):
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
- https://xz.aliyun.com/t/3889
理论上支持 TLS/SSL 全版本提取(精力有限未全部测试,如有问题请提交 issue)
pip install scapy colorama cryptography
- py3.x
macos
/linux
/windows
- run as root when in the online mode
online mode
sudo python ja3box.py -i en0
offline mode
sudo python ja3box.py -f test.pcap
output in json format
sudo python ja3box.py -i en0 --json
saved json as file
sudo python ja3box.py -i en0 -of test.json --json
» sudo python ja3box.py -h
________
[__,.,--\\ __ ______
| | / \\ |___ //
| | / _ \\ |_ \\
._| | / ___ \\ ___) || toolbox
\__// /_// \_\\|____// v2.2
usage: ja3box.py [-h] [-i I] [-f F] [-of OF] [-bpf BPF] [--type {ja3,ja3s,all}] [--json] [--savepcap] [-pf PF]
Version: 2.2; Running in Py3.x
optional arguments:
-h, --help show this help message and exit
-i I interface or list of interfaces (default: sniffing on all interfaces)
-f F local pcap filename (in the offline mode)
-of OF print result to? (default: stdout)
-bpf BPF yes, it is BPF
--type {ja3,ja3s,all}
get pure ja3/ja3s
--json print result as json
--savepcap save the raw pcap
-pf PF eg. `-pf test`: save the raw pcap as test.pcap