我有一个作业需要从 pcap 文件中提取数据。该文件如下所示:
问题是,查找 TLS 中客户端提供的密码套件。我知道我正在寻找的密码套件位于初始的 Client Hello 数据包中,但是如何找到密码套件?
这是我到目前为止所拥有的:
tshark -r assign1.pcap | grep "Client Hello"
这是我得到的输出:
答案1
如果您使用以下开关,tshark您可以获得更详细的 Client Hello 握手列表:
$ tshark -r assign2.pcap -Y ssl.handshake.ciphersuites -Vx | less
如果您搜索less输出,/Client Hello您将找到此部分:
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 246
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 242
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Mar 17, 2068 11:26:39.000000000 EDT
random_bytes: 981fbf58a3116dd17c64b602e2809de75dac922eb559a0ba...
Session ID Length: 0
Cipher Suites Length: 108
Cipher Suites (54 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: Unknown (0xccaa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 (0x00ad)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (0x00ab)
Cipher Suite: Unknown (0xccae)
Cipher Suite: Unknown (0xccad)
Cipher Suite: Unknown (0xccac)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_PSK_WITH_AES_256_GCM_SHA384 (0x00a9)
Cipher Suite: Unknown (0xccab)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 (0x00ac)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (0x00aa)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_PSK_WITH_AES_128_GCM_SHA256 (0x00a8)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (0xc038)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (0xc036)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 (0x00b7)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 (0x00b3)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_CBC_SHA (0x0095)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_CBC_SHA (0x0091)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (0xc037)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (0xc035)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 (0x00b6)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (0x00b2)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_CBC_SHA (0x0094)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA (0x0090)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
...