Introduction
Fatt is a script that relies on pyshark in carrying out network metadata extraction and acquisition of network fingerprints. This tool can be used to obtain data from a network traffic in real-time or from the available pcap (packet capture files). With this script, you can fingerprint almost everything within a given network traffic.
Fatt [Fingerprint All The Things]: Network Fingerprint Extractor
As a network utility tool, Fatt can be used in performing network forensic procedures but its main case-use is to monitor honeypots. When obtaining data from a packet capture file it can be effective in acquiring HASSH and JA3 fingerprints. Fatt supports a number of network protocols such as HTTP, SSH, gQUIC, SSL/TLS, and RDP, which makes it very effective in executing network-based analysis operations. It has the ability to execute threat hunting procedures within a network system. The auxiliary Metasploit scanner is specifically useful in detecting potential security vulnerabilities within an RDP protocol.
Fatt can also be used to decode data from specific ports into other protocols. A given packet of data from network traffic can be decoded into TLS allowing you to have a view of the available JA3 fingerprint and also the TLS clientHello.
Features:
- Supports Multiple Protocols: SSL/TLS, HTTP, SSH, gQUIC, RDP
- Multiple fingerprint methods
- Has JSON output
Supported Platforms:
- Linux, Windows, OS X
Dependencies
- Pipenv
- Tshark
Available Fingerprinting methods:
- JA3: TLS client or server fingerprint
- HTTP heading fingerprint
- HASSH: SSH client or server fingerprint
- Soon to be added gQUIC/iQUIC fingerprint
- RDFP(still under experiment for standard RDP protocol only, the remaining RDP modes rely on TLS which makes it easy to use JA3 in fingerprinting)
Fatt Install
Clone the Fatt repo:
$ git clone https://github.com/0x4D31/fatt.git
To install dependencies run:
$ cd fatt/ $ pip3 install pipenv $ pipenv install
Or the following if you don’t want to use VE:
$ pip3 install pyshark==0.4.2.2
To activate the VE, run the following command:
$ pipenv shell $ Launching subshell in virtual environment…
Basic Usage
To list available options, use -h:
$ pipenv run python3 fatt.py -h
usage: fatt.py [-h] [-r READ_FILE] [-d READ_DIRECTORY] [-i INTERFACE]
[-fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]]
[-da DECODE_AS] [-f BPF_FILTER] [-j] [-o OUTPUT_FILE]
[-w WRITE_PCAP] [-p]
A python script for extracting network fingerprints
optional arguments:
-h, --help show this help message and exit
-r READ_FILE, --read_file READ_FILE
pcap file to process
-d READ_DIRECTORY, --read_directory READ_DIRECTORY
directory of pcap files to process
-i INTERFACE, --interface INTERFACE
listen on interface
-fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]], --fingerprint [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]
protocols to fingerprint. Default: all
-da DECODE_AS, --decode_as DECODE_AS
a dictionary of {decode_criterion_string:
decode_as_protocol} that is used to tell tshark to
decode protocols in situations it wouldn't usually.
-f BPF_FILTER, --bpf_filter BPF_FILTER
BPF capture filter to use (for live capture only).'
-j, --json_logging log the output in json format
-o OUTPUT_FILE, --output_file OUTPUT_FILE
specify the output log file. Default: fatt.log
-w WRITE_PCAP, --write_pcap WRITE_PCAP
save the live captured packets to this file
-p, --print_output print the output
