MCPcopy Index your code
hub / github.com/USArmyResearchLab/Dshell / connection_handler

Method connection_handler

dshell/plugins/ssl/tls.py:875–986  ·  view source on GitHub ↗
(self, conn)

Source from the content-addressed store, hash-verified

873 self.debug("ja3 capability disabled due to missing python module")
874
875 def connection_handler(self, conn):
876
877 inverted_ssl = False
878 info = conn.info()
879 client_names = set() # Agregate list of names specified by client
880 server_names = set() # Agregate list of names specified by server
881 certs_cs = []
882 certs_sc = []
883 server_cipher = None
884 client_cipher_list = []
885
886 for blob in conn.blobs:
887
888 blob.reassemble(allow_overlap=True, allow_padding=True)
889 data = blob.data
890 offset = 0
891
892 while offset < len(data):
893
894 tlsrecord = None
895 try:
896 tlsrecord = TLS(data[offset:])
897 offset += tlsrecord.recordbytes
898
899 if tlsrecord.ContentType == SSL3_RT_HANDSHAKE:
900 for hs in tlsrecord.Handshakes:
901 #
902 # Client hello. Looking for inversion.
903 #
904 if hs.HandshakeType == SSL3_MT_CLIENT_HELLO:
905 if blob.direction != 'cs':
906 inverted_ssl = True
907 if 'server_name' in hs.extensions:
908 for server in hs.extensions['server_name']:
909 client_names.add(
910 server.decode('utf-8'))
911 if ja3_available:
912 info['ja3'] = hs.ja3()
913 info['ja3_digest'] = hs.ja3_digest()
914 client_cipher_list = hs.cipher_suites
915
916 elif hs.HandshakeType == SSL3_MT_SERVER_HELLO:
917 server_cipher = hs.cipher_suite
918
919 #
920 # Certificate. Looking for first server cert.
921 #
922 elif hs.HandshakeType == SSL3_MT_CERTIFICATE:
923 for cert in hs.Certificates:
924 cert_info = openSSL_cert_to_info_dictionary(
925 cert)
926 if blob.direction == 'cs':
927 certs_cs.append(cert_info)
928 else:
929 certs_sc.append(cert_info)
930
931 except InsufficientData:
932 self.log('Skipping small blob: %s\n' % (sys.exc_info()[1]))

Callers

nothing calls this directly

Calls 9

TLSClass · 0.85
reassembleMethod · 0.80
ja3Method · 0.80
ja3_digestMethod · 0.80
infoMethod · 0.45
logMethod · 0.45
writeMethod · 0.45

Tested by

no test coverage detected