나는 pcap 파일에서 데이터를 추출해야 하는 작업을 수행하고 있습니다. 파일은 다음과 같습니다.
문제는 TLS에서 클라이언트가 제공하는 암호 제품군을 찾는 것입니다.내가 찾고 있는 암호 제품군이 초기 Client Hello 패킷에 있다는 것을 알고 있지만암호 제품군을 찾는 방법은 무엇입니까?
이것이 내가 지금까지 가지고 있는 것입니다:
tshark -r assign1.pcap | grep "Client Hello"
파일은 다음과 같습니다.https://ufile.io/jsfjr
답변1
다음 스위치를 사용하면 tshark
Client Hello 핸드셰이크의 더 자세한 목록을 얻을 수 있습니다 .
$ tshark -r assign2.pcap -Y ssl.handshake.ciphersuites -Vx | less
less
출력을 검색하면 /Client Hello
다음 섹션을 찾을 수 있습니다.
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 246
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 242
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Mar 17, 2068 11:26:39.000000000 EDT
random_bytes: 981fbf58a3116dd17c64b602e2809de75dac922eb559a0ba...
Session ID Length: 0
Cipher Suites Length: 108
Cipher Suites (54 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: Unknown (0xccaa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 (0x00ad)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (0x00ab)
Cipher Suite: Unknown (0xccae)
Cipher Suite: Unknown (0xccad)
Cipher Suite: Unknown (0xccac)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_PSK_WITH_AES_256_GCM_SHA384 (0x00a9)
Cipher Suite: Unknown (0xccab)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 (0x00ac)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (0x00aa)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_PSK_WITH_AES_128_GCM_SHA256 (0x00a8)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (0xc038)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (0xc036)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 (0x00b7)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 (0x00b3)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_CBC_SHA (0x0095)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_CBC_SHA (0x0091)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (0xc037)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (0xc035)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 (0x00b6)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (0x00b2)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_CBC_SHA (0x0094)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA (0x0090)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
...