Merge pull request #152 from p-l-/enh-add-ja3c_ua

Add User-Agent and JA3 values
ivre · May 16, 2023 · 790bd53 · 790bd53
2 parents 958a642 + fa4c0ad
commit 790bd53
Showing 1 changed file with 124 additions and 2 deletions.
diff --git a/main.ts b/main.ts
@@ -49,6 +49,17 @@ interface IvreCertificate {
 	pubkey: IvrePubkey;
 }
 
+interface IvreJa3 {
+	md5: string;
+	sha1?: string;
+	sha256?: string;
+	raw?: string;
+}
+
+interface IvreJa3Server extends IvreJa3 {
+	client?: IvreJa3;
+}
+
 interface IvrePubkey {
 	md5?: string;
 	sha1?: string;
@@ -67,7 +78,12 @@ interface IvreScript {
 	output: string;
 	// @ts-ignore
 	"ssl-cert"?: IvreCertificate[];
-
+	// @ts-ignore
+	"ssl-ja3-client"?: IvreJa3[];
+	// @ts-ignore
+	"ssl-ja3-server"?: IvreJa3Server[];
+	// @ts-ignore
+	"http-user-agent"?: string[];
 	[structured: string]: JSON;
 }
 
@@ -340,6 +356,23 @@ function ivre_create_certificate(
 	}
 	create_note(vault, fname, answer);
 }
+function ivre_create_ja3(ja3: IvreJa3, vault: Vault, base_directory: string) {
+	const base = `${base_directory}/JA3`;
+	create_folder(vault, base);
+	const fname = `${base}/${ja3.md5}.md`;
+	let answer = "JA3\n";
+	answer += "\n# Raw value #\n";
+	answer += `\`\`\`\n${ja3.raw}\n\`\`\`\n`;
+	answer += "\n# Hashes #\n";
+	for (const hashtype of ["md5", "sha1", "sha256"]) {
+		if (ja3[hashtype]) {
+			const hash_value = ja3[hashtype];
+			ivre_create_hash(hash_value, vault, base_directory);
+			answer += `- ${hashtype.toUpperCase()}: [[${base_directory}/Hash/${hash_value}.md|${hash_value}]]\n`;
+		}
+	}
+	create_note(vault, fname, answer);
+}
 function ivre_handle_address(
 	address: string,
 	vault: Vault,
@@ -652,12 +685,53 @@ class IvreSearchView extends IvreSearch {
 			answer += `\n# Hostnames #\n${tmp_answer}`;
 		}
 		tmp_answer = "";
+		let tmp_answer_host = "";
 		(data.ports || []).forEach((port: IvrePort) => {
 			if (port.port === -1) {
+				(port.scripts || []).forEach((script: IvreScript) => {
+					if (
+						script.id == "ssl-ja3-client" &&
+						script["ssl-ja3-client"] &&
+						script["ssl-ja3-client"].length
+					) {
+						tmp_answer_host += "\n## JA3 Client fingerprints ##\n";
+						script["ssl-ja3-client"].forEach((ja3: IvreJa3) => {
+							if (ja3.raw) {
+								ivre_create_ja3(
+									ja3,
+									vault,
+									settings.base_directory
+								);
+							} else {
+								// TODO: test if JA3 exists
+								ivre_create_hash(
+									ja3.md5,
+									vault,
+									settings.base_directory
+								);
+							}
+							tmp_answer_host += `- [[${settings.base_directory}/JA3/${ja3.md5}.md|${ja3.md5}]]\n`;
+						});
+					}
+					if (
+						script.id == "http-user-agent" &&
+						script["http-user-agent"] &&
+						script["http-user-agent"].length
+					) {
+						tmp_answer_host += "\n## HTTP User-Agents ##\n";
+						script["http-user-agent"].forEach(
+							(useragent: string) => {
+								tmp_answer_host += `- \`${useragent}\`\n`;
+							}
+						);
+					}
+				});
 				return;
 			}
 			tmp_answer += `\n## ${port.protocol}/${port.port} ##\n`;
-			tmp_answer += `- Status: ${port.state_state}\n`;
+			tmp_answer += `- ${
+				port.state_state.startsWith("open") ? "✅" : "❌"
+			} Status: ${port.state_state}\n`;
 			if (port.service_name) {
 				tmp_answer += `- Service: ${port.service_name}`;
 				if (port.service_product) {
@@ -690,6 +764,48 @@ class IvreSearchView extends IvreSearch {
 						}
 					);
 				}
+				if (
+					script.id == "ssl-ja3-server" &&
+					script["ssl-ja3-server"] &&
+					script["ssl-ja3-server"].length
+				) {
+					tmp_answer += "\n### JA3 Server fingerprints ###\n";
+					script["ssl-ja3-server"].forEach((ja3: IvreJa3Server) => {
+						if (ja3.raw) {
+							ivre_create_ja3(
+								ja3,
+								vault,
+								settings.base_directory
+							);
+						} else {
+							// TODO: test if JA3 exists
+							ivre_create_hash(
+								ja3.md5,
+								vault,
+								settings.base_directory
+							);
+						}
+						if (ja3.client) {
+							if (ja3.client.raw) {
+								ivre_create_ja3(
+									ja3.client,
+									vault,
+									settings.base_directory
+								);
+							} else {
+								// TODO: test if JA3 exists
+								ivre_create_hash(
+									ja3.client.md5,
+									vault,
+									settings.base_directory
+								);
+							}
+							tmp_answer += `- [[${settings.base_directory}/JA3/${ja3.md5}.md|${ja3.md5}]] - [[${settings.base_directory}/JA3/${ja3.client.md5}.md|${ja3.client.md5}]]\n`;
+						} else {
+							tmp_answer += `- [[${settings.base_directory}/JA3/${ja3.md5}.md|${ja3.md5}]]\n`;
+						}
+					});
+				}
 			});
 			if (port.screenshot === "field" && port.screendata) {
 				tmp_answer += `\n![](data:image/png;base64,${port.screendata})\n`;
@@ -702,6 +818,12 @@ class IvreSearchView extends IvreSearch {
 				tmp_answer.length - 1
 			)}`;
 		}
+		if (tmp_answer_host) {
+			answer += `\n# Host details #\n${tmp_answer_host.substring(
+				0,
+				tmp_answer_host.length - 1
+			)}`;
+		}
 		return answer;
 	}
 	process_ipaddress(