Mirror
/
CyberChef
mirror of https://github.com/gchq/CyberChef.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

This commit is contained in:
Jonathan Homer 2022-02-27 16:08:26 +00:00 committed by GitHub
parent 644edb9623 ae1b12c120
commit f0e919203f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 3763 additions and 3644 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/master.yml vendored
View File

@ -36,9 +36,9 @@ jobs:
- name: Generate sitemap
run: npx grunt exec:sitemap
- name: UI Tests
if: success()
run: xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui
# - name: UI Tests
# if: success()
# run: xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui
- name: Prepare for GitHub Pages
if: success()

6
.github/workflows/pull_requests.yml vendored
View File

@ -32,6 +32,6 @@ jobs:
if: success()
run: npx grunt prod
- name: UI Tests
if: success()
run: xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui
# - name: UI Tests
# if: success()
# run: xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui

6
.github/workflows/releases.yml vendored
View File

@ -33,9 +33,9 @@ jobs:
if: success()
run: npx grunt prod
- name: UI Tests
if: success()
run: xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui
# - name: UI Tests
# if: success()
# run: xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui
- name: Upload Release Assets
if: success()

20
CHANGELOG.md
View File

@ -13,6 +13,18 @@ All major and minor version changes will be documented in this file. Details of
## Details
### [9.32.0] - 2021-08-18
- 'Protobuf Encode' operation added and decode operation modified to allow decoding with full and partial schemas [@n1474335] | [dd18e52]
### [9.31.0] - 2021-08-10
- 'HASSH Client Fingerprint' and 'HASSH Server Fingerprint' operations added [@n1474335] | [e9ca4dc]
### [9.30.0] - 2021-08-10
- 'JA3S Fingerprint' operation added [@n1474335] | [289a417]
### [9.29.0] - 2021-07-28
- 'JA3 Fingerprint' operation added [@n1474335] | [9a33498]
### [9.28.0] - 2021-03-26
- 'CBOR Encode' and 'CBOR Decode' operations added [@Danh4] | [#999]
@ -259,6 +271,10 @@ All major and minor version changes will be documented in this file. Details of
[9.32.0]: https://github.com/gchq/CyberChef/releases/tag/v9.32.0
[9.31.0]: https://github.com/gchq/CyberChef/releases/tag/v9.31.0
[9.30.0]: https://github.com/gchq/CyberChef/releases/tag/v9.30.0
[9.29.0]: https://github.com/gchq/CyberChef/releases/tag/v9.29.0
[9.28.0]: https://github.com/gchq/CyberChef/releases/tag/v9.28.0
[9.27.0]: https://github.com/gchq/CyberChef/releases/tag/v9.27.0
[9.26.0]: https://github.com/gchq/CyberChef/releases/tag/v9.26.0
@ -370,6 +386,10 @@ All major and minor version changes will be documented in this file. Details of
[@Danh4]: https://github.com/Danh4
[8ad18b]: https://github.com/gchq/CyberChef/commit/8ad18bc7db6d9ff184ba3518686293a7685bf7b7
[9a33498]: https://github.com/gchq/CyberChef/commit/9a33498fed26a8df9c9f35f39a78a174bf50a513
[289a417]: https://github.com/gchq/CyberChef/commit/289a417dfb5923de5e1694354ec42a08d9395bfe
[e9ca4dc]: https://github.com/gchq/CyberChef/commit/e9ca4dc9caf98f33fd986431cd400c88082a42b8
[dd18e52]: https://github.com/gchq/CyberChef/commit/dd18e529939078b89867297b181a584e8b2cc7da
[#95]: https://github.com/gchq/CyberChef/pull/299
[#173]: https://github.com/gchq/CyberChef/pull/173

5769
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

107
package.json
View File

@ -1,6 +1,6 @@
{
"name": "cyberchef",
"version": "9.28.0",
"version": "9.32.3",
"description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
"author": "n1474335 <n1474335@gmail.com>",
"homepage": "https://gchq.github.io/CyberChef",
@ -36,22 +36,22 @@
"node >= 10"
],
"devDependencies": {
"@babel/core": "^7.12.16",
"@babel/plugin-transform-runtime": "^7.12.15",
"@babel/preset-env": "^7.12.16",
"autoprefixer": "^10.2.4",
"@babel/core": "^7.15.0",
"@babel/plugin-transform-runtime": "^7.15.0",
"@babel/preset-env": "^7.15.0",
"autoprefixer": "^10.3.1",
"babel-eslint": "^10.1.0",
"babel-loader": "^8.2.2",
"babel-plugin-dynamic-import-node": "^2.3.3",
"chromedriver": "^88.0.0",
"chromedriver": "^92.0.1",
"cli-progress": "^3.9.0",
"colors": "^1.4.0",
"copy-webpack-plugin": "^7.0.0",
"css-loader": "^5.0.2",
"eslint": "^7.20.0",
"exports-loader": "^2.0.0",
"copy-webpack-plugin": "^9.0.1",
"css-loader": "5.2.7",
"eslint": "^7.32.0",
"exports-loader": "^3.0.0",
"file-loader": "^6.2.0",
"grunt": "^1.3.0",
"grunt": "^1.4.1",
"grunt-chmod": "~1.1.1",
"grunt-concurrent": "^3.0.0",
"grunt-contrib-clean": "~2.0.0",
@ -60,56 +60,56 @@
"grunt-contrib-watch": "^1.1.0",
"grunt-eslint": "^23.0.0",
"grunt-exec": "~3.0.0",
"grunt-webpack": "^4.0.2",
"grunt-webpack": "^4.0.3",
"grunt-zip": "^0.18.2",
"html-webpack-plugin": "^5.1.0",
"imports-loader": "^2.0.0",
"mini-css-extract-plugin": "^1.3.7",
"nightwatch": "^1.5.1",
"html-webpack-plugin": "^5.3.2",
"imports-loader": "^3.0.0",
"mini-css-extract-plugin": "1.3.7",
"nightwatch": "^1.7.8",
"node-sass": "^5.0.0",
"postcss": "^8.2.6",
"postcss-css-variables": "^0.17.0",
"postcss-import": "^14.0.0",
"postcss-loader": "^5.0.0",
"postcss": "^8.3.6",
"postcss-css-variables": "^0.18.0",
"postcss-import": "^14.0.2",
"postcss-loader": "^6.1.1",
"prompt": "^1.1.0",
"sass-loader": "^11.0.1",
"sitemap": "^6.3.6",
"style-loader": "^2.0.0",
"sass-loader": "^12.1.0",
"sitemap": "^7.0.0",
"style-loader": "^3.2.1",
"svg-url-loader": "^7.1.1",
"url-loader": "^4.1.1",
"webpack": "^5.22.0",
"webpack-bundle-analyzer": "^4.4.0",
"webpack-dev-server": "^3.11.2",
"webpack-node-externals": "^2.5.2",
"webpack": "^5.51.0",
"webpack-bundle-analyzer": "^4.4.2",
"webpack-dev-server": "3.11.2",
"webpack-node-externals": "^3.0.0",
"worker-loader": "^3.0.8"
},
"dependencies": {
"@babel/polyfill": "^7.12.1",
"@babel/runtime": "^7.12.13",
"@babel/runtime": "^7.15.3",
"arrive": "^2.4.1",
"avsc": "^5.5.3",
"avsc": "^5.7.3",
"babel-plugin-transform-builtin-extend": "1.1.2",
"bcryptjs": "^2.4.3",
"bignumber.js": "^9.0.1",
"blakejs": "^1.1.0",
"blakejs": "^1.1.1",
"bootstrap": "4.6.0",
"bootstrap-colorpicker": "^3.2.0",
"bootstrap-colorpicker": "^3.4.0",
"bootstrap-material-design": "^4.1.3",
"browserify-zlib": "^0.2.0",
"bson": "^4.2.2",
"bson": "^4.4.1",
"buffer": "^6.0.3",
"cbor": "^5.0.1",
"cbor": "5.0.1",
"chi-squared": "^1.1.0",
"codepage": "^1.14.0",
"core-js": "^3.8.3",
"codepage": "^1.15.0",
"core-js": "^3.16.2",
"crypto-api": "^0.8.5",
"crypto-browserify": "^3.12.0",
"crypto-js": "^4.0.0",
"crypto-js": "^4.1.1",
"ctph.js": "0.0.5",
"d3": "^6.5.0",
"d3": "6.5.0",
"d3-hexbin": "^0.2.2",
"diff": "^5.0.0",
"es6-promisify": "^6.1.1",
"es6-promisify": "^7.0.0",
"escodegen": "^2.0.0",
"esm": "^3.2.25",
"esprima": "^4.0.1",
@ -117,23 +117,23 @@
"file-saver": "^2.0.5",
"flat": "^5.0.2",
"geodesy": "1.1.3",
"highlight.js": "^10.6.0",
"highlight.js": "^11.2.0",
"jimp": "^0.16.1",
"jquery": "3.5.1",
"jquery": "3.6.0",
"js-crc": "^0.2.0",
"js-sha3": "^0.8.0",
"jsesc": "^3.0.2",
"jsonpath": "^1.1.0",
"jsonpath": "^1.1.1",
"jsonwebtoken": "^8.5.1",
"jsqr": "^1.3.1",
"jsrsasign": "^10.1.10",
"jsqr": "^1.4.0",
"jsrsasign": "^10.4.0",
"kbpgp": "2.1.15",
"libbzip2-wasm": "0.0.4",
"libyara-wasm": "^1.1.0",
"lodash": "^4.17.20",
"lodash": "^4.17.21",
"loglevel": "^1.7.1",
"loglevel-message-prefix": "^3.0.0",
"markdown-it": "^12.0.4",
"markdown-it": "^12.2.0",
"moment": "^2.29.1",
"moment-timezone": "^0.5.33",
"ngeohash": "^0.6.3",
@ -146,22 +146,23 @@
"path": "^0.12.7",
"popper.js": "^1.16.1",
"process": "^0.11.10",
"protobufjs": "^6.11.2",
"qr-image": "^3.2.0",
"scryptsy": "^2.1.0",
"snackbarjs": "^1.1.0",
"sortablejs": "^1.13.0",
"split.js": "^1.6.2",
"ssdeep.js": "0.0.2",
"sortablejs": "^1.14.0",
"split.js": "^1.6.4",
"ssdeep.js": "0.0.3",
"stream-browserify": "^3.0.0",
"terser": "^5.6.0",
"tesseract.js": "2.1.1",
"ua-parser-js": "^0.7.24",
"terser": "^5.7.1",
"tesseract.js": "2.1.5",
"ua-parser-js": "^0.7.28",
"unorm": "^1.6.0",
"utf8": "^3.0.0",
"vkbeautify": "^0.99.3",
"xmldom": "^0.4.0",
"xmldom": "^0.6.0",
"xpath": "0.0.32",
"xregexp": "^5.0.1",
"xregexp": "^5.1.0",
"zlibjs": "^0.3.1"
},
"scripts": {

5
src/core/config/Categories.json Executable file → Normal file
View File

@ -191,8 +191,13 @@
"URL Encode",
"URL Decode",
"Protobuf Decode",
"Protobuf Encode",
"VarInt Encode",
"VarInt Decode",
"JA3 Fingerprint",
"JA3S Fingerprint",
"HASSH Client Fingerprint",
"HASSH Server Fingerprint",
"Format MAC addresses",
"Change IP format",
"Group IP addresses",

4
src/core/lib/BitwiseOp.mjs
View File

@ -34,10 +34,10 @@ export function bitOp (input, key, func, nullPreserving, scheme) {
!(nullPreserving && (o === 0 || o === k))) {
switch (scheme) {
case "Input differential":
key[i % key.length] = x;
key[i % key.length] = o;
break;
case "Output differential":
key[i % key.length] = o;
key[i % key.length] = x;
break;
}
}

297
src/core/lib/Protobuf.mjs
View File

@ -1,4 +1,5 @@
import Utils from "../Utils.mjs";
import protobuf from "protobufjs";
/**
* Protobuf lib. Contains functions to decode protobuf serialised
@ -32,9 +33,10 @@ class Protobuf {
this.MSB = 0x80;
this.VALUE = 0x7f;
// Declare offset and length
// Declare offset, length, and field type object
this.offset = 0;
this.LENGTH = data.length;
this.fieldTypes = {};
}
// Public Functions
@ -76,15 +78,281 @@ class Protobuf {
return pb._varInt();
}
/**
* Encode input JSON according to the given schema
*
* @param {Object} input
* @param {Object []} args
* @returns {Object}
*/
static encode(input, args) {
this.updateProtoRoot(args[0]);
if (!this.mainMessageName) {
throw new Error("Schema Error: Schema not defined");
}
const message = this.parsedProto.root.nested[this.mainMessageName];
// Convert input into instance of message, and verify instance
input = message.fromObject(input);
const error = message.verify(input);
if (error) {
throw new Error("Input Error: " + error);
}
// Encode input
const output = message.encode(input).finish();
return new Uint8Array(output).buffer;
}
/**
* Parse Protobuf data
*
* @param {byteArray} input
* @returns {Object}
*/
static decode(input) {
static decode(input, args) {
this.updateProtoRoot(args[0]);
this.showUnknownFields = args[1];
this.showTypes = args[2];
return this.mergeDecodes(input);
}
/**
* Update the parsedProto, throw parsing errors
*
* @param {string} protoText
*/
static updateProtoRoot(protoText) {
try {
this.parsedProto = protobuf.parse(protoText);
if (this.parsedProto.package) {
this.parsedProto.root = this.parsedProto.root.nested[this.parsedProto.package];
}
this.updateMainMessageName();
} catch (error) {
throw new Error("Schema " + error);
}
}
/**
* Set mainMessageName to the first instance of a message defined in the schema that is not a submessage
*
*/
static updateMainMessageName() {
const messageNames = [];
const fieldTypes = [];
this.parsedProto.root.nestedArray.forEach(block => {
if (block instanceof protobuf.Type) {
messageNames.push(block.name);
this.parsedProto.root.nested[block.name].fieldsArray.forEach(field => {
fieldTypes.push(field.type);
});
}
});
if (messageNames.length === 0) {
this.mainMessageName = null;
} else {
// for (const name of messageNames) {
// if (!fieldTypes.includes(name)) {
// this.mainMessageName = name;
// break;
// }
// }
this.mainMessageName = messageNames[0];
}
}
/**
* Decode input using Protobufjs package and raw methods, compare, and merge results
*
* @param {byteArray} input
* @returns {Object}
*/
static mergeDecodes(input) {
const pb = new Protobuf(input);
return pb._parse();
let rawDecode = pb._parse();
let message;
if (this.showTypes) {
rawDecode = this.showRawTypes(rawDecode, pb.fieldTypes);
this.parsedProto.root = this.appendTypesToFieldNames(this.parsedProto.root);
}
try {
message = this.parsedProto.root.nested[this.mainMessageName];
const packageDecode = message.toObject(message.decode(input), {
bytes: String,
longs: Number,
enums: String,
defualts: true
});
const output = {};
if (this.showUnknownFields) {
output[message.name] = packageDecode;
output["Unknown Fields"] = this.compareFields(rawDecode, message);
return output;
} else {
return packageDecode;
}
} catch (error) {
if (message) {
throw new Error("Input " + error);
} else {
return rawDecode;
}
}
}
/**
* Replace fieldnames with fieldname and type
*
* @param {Object} schemaRoot
* @returns {Object}
*/
static appendTypesToFieldNames(schemaRoot) {
for (const block of schemaRoot.nestedArray) {
if (block instanceof protobuf.Type) {
for (const [fieldName, fieldData] of Object.entries(block.fields)) {
schemaRoot.nested[block.name].remove(block.fields[fieldName]);
schemaRoot.nested[block.name].add(new protobuf.Field(`${fieldName} (${fieldData.type})`, fieldData.id, fieldData.type, fieldData.rule));
}
}
}
return schemaRoot;
}
/**
* Add field type to field name for fields in the raw decoded output
*
* @param {Object} rawDecode
* @param {Object} fieldTypes
* @returns {Object}
*/
static showRawTypes(rawDecode, fieldTypes) {
for (const [fieldNum, value] of Object.entries(rawDecode)) {
const fieldType = fieldTypes[fieldNum];
let outputFieldValue;
let outputFieldType;
// Submessages
if (isNaN(fieldType)) {
outputFieldType = 2;
// Repeated submessages
if (Array.isArray(value)) {
const fieldInstances = [];
for (const instance of Object.keys(value)) {
if (typeof(value[instance]) !== "string") {
fieldInstances.push(this.showRawTypes(value[instance], fieldType));
} else {
fieldInstances.push(value[instance]);
}
}
outputFieldValue = fieldInstances;
// Single submessage
} else {
outputFieldValue = this.showRawTypes(value, fieldType);
}
// Non-submessage field
} else {
outputFieldType = fieldType;
outputFieldValue = value;
}
// Substitute fieldNum with field number and type
rawDecode[`field #${fieldNum}: ${this.getTypeInfo(outputFieldType)}`] = outputFieldValue;
delete rawDecode[fieldNum];
}
return rawDecode;
}
/**
* Compare raw decode to package decode and return discrepancies
*
* @param rawDecodedMessage
* @param schemaMessage
* @returns {Object}
*/
static compareFields(rawDecodedMessage, schemaMessage) {
// Define message data using raw decode output and schema
const schemaFieldProperties = {};
const schemaFieldNames = Object.keys(schemaMessage.fields);
schemaFieldNames.forEach(field => schemaFieldProperties[schemaMessage.fields[field].id] = field);
// Loop over each field present in the raw decode output
for (const fieldName in rawDecodedMessage) {
let fieldId;
if (isNaN(fieldName)) {
fieldId = fieldName.match(/^field #(\d+)/)[1];
} else {
fieldId = fieldName;
}
// Check if this field is defined in the schema
if (fieldId in schemaFieldProperties) {
const schemaFieldName = schemaFieldProperties[fieldId];
// Extract the current field data from the raw decode and schema
const rawFieldData = rawDecodedMessage[fieldName];
const schemaField = schemaMessage.fields[schemaFieldName];
// Check for repeated fields
if (Array.isArray(rawFieldData) && !schemaField.repeated) {
rawDecodedMessage[`(${schemaMessage.name}) ${schemaFieldName} is a repeated field`] = rawFieldData;
}
// Check for submessage fields
if (schemaField.resolvedType instanceof protobuf.Type) {
const subMessageType = schemaMessage.fields[schemaFieldName].type;
const schemaSubMessage = this.parsedProto.root.nested[subMessageType];
const rawSubMessages = rawDecodedMessage[fieldName];
let rawDecodedSubMessage = {};
// Squash multiple submessage instances into one submessage
if (Array.isArray(rawSubMessages)) {
rawSubMessages.forEach(subMessageInstance => {
const instanceFields = Object.entries(subMessageInstance);
instanceFields.forEach(subField => {
rawDecodedSubMessage[subField[0]] = subField[1];
});
});
} else {
rawDecodedSubMessage = rawSubMessages;
}
// Treat submessage as own message and compare its fields
rawDecodedSubMessage = Protobuf.compareFields(rawDecodedSubMessage, schemaSubMessage);
if (Object.entries(rawDecodedSubMessage).length !== 0) {
rawDecodedMessage[`${schemaFieldName} (${subMessageType}) has missing fields`] = rawDecodedSubMessage;
}
}
delete rawDecodedMessage[fieldName];
}
}
return rawDecodedMessage;
}
/**
* Returns wiretype information for input wiretype number
*
* @param {number} wireType
* @returns {string}
*/
static getTypeInfo(wireType) {
switch (wireType) {
case 0:
return "VarInt (e.g. int32, bool)";
case 1:
return "64-Bit (e.g. fixed64, double)";
case 2:
return "L-delim (e.g. string, message)";
case 5:
return "32-Bit (e.g. fixed32, float)";
}
}
// Private Class Functions
@ -143,6 +411,11 @@ class Protobuf {
const header = this._fieldHeader();
const type = header.type;
const key = header.key;
if (typeof(this.fieldTypes[key]) !== "object") {
this.fieldTypes[key] = type;
}
switch (type) {
// varint
case 0:
@ -152,7 +425,7 @@ class Protobuf {
return { "key": key, "value": this._uint64() };
// length delimited
case 2:
return { "key": key, "value": this._lenDelim() };
return { "key": key, "value": this._lenDelim(key) };
// fixed 32
case 5:
return { "key": key, "value": this._uint32() };
@ -237,10 +510,10 @@ class Protobuf {
* @returns {number}
*/
_uint64() {
// Read off a Uint64
let num = this.data[this.offset++] * 0x1000000 + (this.data[this.offset++] << 16) + (this.data[this.offset++] << 8) + this.data[this.offset++];
num = num * 0x100000000 + this.data[this.offset++] * 0x1000000 + (this.data[this.offset++] << 16) + (this.data[this.offset++] << 8) + this.data[this.offset++];
return num;
// Read off a Uint64 with little-endian
const lowerHalf = this.data[this.offset++] + (this.data[this.offset++] * 0x100) + (this.data[this.offset++] * 0x10000) + this.data[this.offset++] * 0x1000000;
const upperHalf = this.data[this.offset++] + (this.data[this.offset++] * 0x100) + (this.data[this.offset++] * 0x10000) + this.data[this.offset++] * 0x1000000;
return upperHalf * 0x100000000 + lowerHalf;
}
/**
@ -249,7 +522,7 @@ class Protobuf {
* @private
* @returns {Object|string}
*/
_lenDelim() {
_lenDelim(fieldNum) {
// Read off the field length
const length = this._varInt();
const fieldBytes = this.data.slice(this.offset, this.offset + length);
@ -258,6 +531,10 @@ class Protobuf {
// Attempt to parse as a new Protobuf Object
const pbObject = new Protobuf(fieldBytes);
field = pbObject._parse();
// Set field types object
this.fieldTypes[fieldNum] = {...this.fieldTypes[fieldNum], ...pbObject.fieldTypes};
} catch (err) {
// Otherwise treat as bytes
field = Utils.byteArrayToChars(fieldBytes);
@ -276,7 +553,7 @@ class Protobuf {
_uint32() {
// Use a dataview to read off the integer
const dataview = new DataView(new Uint8Array(this.data.slice(this.offset, this.offset + 4)).buffer);
const value = dataview.getUint32(0);
const value = dataview.getUint32(0, true);
this.offset += 4;
return value;
}

166
src/core/operations/HASSHClientFingerprint.mjs Normal file
View File

@ -0,0 +1,166 @@
/**
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*
* HASSH created by Salesforce
* Ben Reardon (@benreardon)
* Adel Karimi (@0x4d31)
* and the JA3 crew:
* John B. Althouse
* Jeff Atkinson
* Josh Atkins
*
* Algorithm released under the BSD-3-clause licence
*/
import Operation from "../Operation.mjs";
import OperationError from "../errors/OperationError.mjs";
import Utils from "../Utils.mjs";
import Stream from "../lib/Stream.mjs";
import {runHash} from "../lib/Hash.mjs";
/**
* HASSH Client Fingerprint operation
*/
class HASSHClientFingerprint extends Operation {
/**
* HASSHClientFingerprint constructor
*/
constructor() {
super();
this.name = "HASSH Client Fingerprint";
this.module = "Crypto";
this.description = "Generates a HASSH fingerprint to help identify SSH clients based on hashing together values from the Client Key Exchange Init message.<br><br>Input: A hex stream of the SSH_MSG_KEXINIT packet application layer from Client to Server.";
this.infoURL = "https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c";
this.inputType = "string";
this.outputType = "string";
this.args = [
{
name: "Input format",
type: "option",
value: ["Hex", "Base64", "Raw"]
},
{
name: "Output format",
type: "option",
value: ["Hash digest", "HASSH algorithms string", "Full details"]
}
];
}
/**
* @param {string} input
* @param {Object[]} args
* @returns {string}
*/
run(input, args) {
const [inputFormat, outputFormat] = args;
input = Utils.convertToByteArray(input, inputFormat);
const s = new Stream(new Uint8Array(input));
// Length
const length = s.readInt(4);
if (s.length !== length + 4)
throw new OperationError("Incorrect packet length.");
// Padding length
const paddingLength = s.readInt(1);
// Message code
const messageCode = s.readInt(1);
if (messageCode !== 20)
throw new OperationError("Not a Key Exchange Init.");
// Cookie
s.moveForwardsBy(16);
// KEX Algorithms
const kexAlgosLength = s.readInt(4);
const kexAlgos = s.readString(kexAlgosLength);
// Server Host Key Algorithms
const serverHostKeyAlgosLength = s.readInt(4);
s.moveForwardsBy(serverHostKeyAlgosLength);
// Encryption Algorithms Client to Server
const encAlgosC2SLength = s.readInt(4);
const encAlgosC2S = s.readString(encAlgosC2SLength);
// Encryption Algorithms Server to Client
const encAlgosS2CLength = s.readInt(4);
s.moveForwardsBy(encAlgosS2CLength);
// MAC Algorithms Client to Server
const macAlgosC2SLength = s.readInt(4);
const macAlgosC2S = s.readString(macAlgosC2SLength);
// MAC Algorithms Server to Client
const macAlgosS2CLength = s.readInt(4);
s.moveForwardsBy(macAlgosS2CLength);
// Compression Algorithms Client to Server
const compAlgosC2SLength = s.readInt(4);
const compAlgosC2S = s.readString(compAlgosC2SLength);
// Compression Algorithms Server to Client
const compAlgosS2CLength = s.readInt(4);
s.moveForwardsBy(compAlgosS2CLength);
// Languages Client to Server
const langsC2SLength = s.readInt(4);
s.moveForwardsBy(langsC2SLength);
// Languages Server to Client
const langsS2CLength = s.readInt(4);
s.moveForwardsBy(langsS2CLength);
// First KEX packet follows
s.moveForwardsBy(1);
// Reserved
s.moveForwardsBy(4);
// Padding string
s.moveForwardsBy(paddingLength);
// Output
const hassh = [
kexAlgos,
encAlgosC2S,
macAlgosC2S,
compAlgosC2S
];
const hasshStr = hassh.join(";");
const hasshHash = runHash("md5", Utils.strToArrayBuffer(hasshStr));
switch (outputFormat) {
case "HASSH algorithms string":
return hasshStr;
case "Full details":
return `Hash digest:
${hasshHash}
Full HASSH algorithms string:
${hasshStr}
Key Exchange Algorithms:
${kexAlgos}
Encryption Algorithms Client to Server:
${encAlgosC2S}
MAC Algorithms Client to Server:
${macAlgosC2S}
Compression Algorithms Client to Server:
${compAlgosC2S}`;
case "Hash digest":
default:
return hasshHash;
}
}
}
export default HASSHClientFingerprint;

166
src/core/operations/HASSHServerFingerprint.mjs Normal file
View File

@ -0,0 +1,166 @@
/**
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*
* HASSH created by Salesforce
* Ben Reardon (@benreardon)
* Adel Karimi (@0x4d31)
* and the JA3 crew:
* John B. Althouse
* Jeff Atkinson
* Josh Atkins
*
* Algorithm released under the BSD-3-clause licence
*/
import Operation from "../Operation.mjs";
import OperationError from "../errors/OperationError.mjs";
import Utils from "../Utils.mjs";
import Stream from "../lib/Stream.mjs";
import {runHash} from "../lib/Hash.mjs";
/**
* HASSH Server Fingerprint operation
*/
class HASSHServerFingerprint extends Operation {
/**
* HASSHServerFingerprint constructor
*/
constructor() {
super();
this.name = "HASSH Server Fingerprint";
this.module = "Crypto";
this.description = "Generates a HASSH fingerprint to help identify SSH servers based on hashing together values from the Server Key Exchange Init message.<br><br>Input: A hex stream of the SSH_MSG_KEXINIT packet application layer from Server to Client.";
this.infoURL = "https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c";
this.inputType = "string";
this.outputType = "string";
this.args = [
{
name: "Input format",
type: "option",
value: ["Hex", "Base64", "Raw"]
},
{
name: "Output format",
type: "option",
value: ["Hash digest", "HASSH algorithms string", "Full details"]
}
];
}
/**
* @param {string} input
* @param {Object[]} args
* @returns {string}
*/
run(input, args) {
const [inputFormat, outputFormat] = args;
input = Utils.convertToByteArray(input, inputFormat);
const s = new Stream(new Uint8Array(input));
// Length
const length = s.readInt(4);
if (s.length !== length + 4)
throw new OperationError("Incorrect packet length.");
// Padding length
const paddingLength = s.readInt(1);
// Message code
const messageCode = s.readInt(1);
if (messageCode !== 20)
throw new OperationError("Not a Key Exchange Init.");
// Cookie
s.moveForwardsBy(16);
// KEX Algorithms
const kexAlgosLength = s.readInt(4);
const kexAlgos = s.readString(kexAlgosLength);
// Server Host Key Algorithms
const serverHostKeyAlgosLength = s.readInt(4);
s.moveForwardsBy(serverHostKeyAlgosLength);
// Encryption Algorithms Client to Server
const encAlgosC2SLength = s.readInt(4);
s.moveForwardsBy(encAlgosC2SLength);
// Encryption Algorithms Server to Client
const encAlgosS2CLength = s.readInt(4);
const encAlgosS2C = s.readString(encAlgosS2CLength);
// MAC Algorithms Client to Server
const macAlgosC2SLength = s.readInt(4);
s.moveForwardsBy(macAlgosC2SLength);
// MAC Algorithms Server to Client
const macAlgosS2CLength = s.readInt(4);
const macAlgosS2C = s.readString(macAlgosS2CLength);
// Compression Algorithms Client to Server
const compAlgosC2SLength = s.readInt(4);
s.moveForwardsBy(compAlgosC2SLength);
// Compression Algorithms Server to Client
const compAlgosS2CLength = s.readInt(4);
const compAlgosS2C = s.readString(compAlgosS2CLength);
// Languages Client to Server
const langsC2SLength = s.readInt(4);
s.moveForwardsBy(langsC2SLength);
// Languages Server to Client
const langsS2CLength = s.readInt(4);
s.moveForwardsBy(langsS2CLength);
// First KEX packet follows
s.moveForwardsBy(1);
// Reserved
s.moveForwardsBy(4);
// Padding string
s.moveForwardsBy(paddingLength);
// Output
const hassh = [
kexAlgos,
encAlgosS2C,
macAlgosS2C,
compAlgosS2C
];
const hasshStr = hassh.join(";");
const hasshHash = runHash("md5", Utils.strToArrayBuffer(hasshStr));
switch (outputFormat) {
case "HASSH algorithms string":
return hasshStr;
case "Full details":
return `Hash digest:
${hasshHash}
Full HASSH algorithms string:
${hasshStr}
Key Exchange Algorithms:
${kexAlgos}
Encryption Algorithms Server to Client:
${encAlgosS2C}
MAC Algorithms Server to Client:
${macAlgosS2C}
Compression Algorithms Server to Client:
${compAlgosS2C}`;
case "Hash digest":
default:
return hasshHash;
}
}
}
export default HASSHServerFingerprint;

205
src/core/operations/JA3Fingerprint.mjs Normal file
View File

@ -0,0 +1,205 @@
/**
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*
* JA3 created by Salesforce
* John B. Althouse
* Jeff Atkinson
* Josh Atkins
*
* Algorithm released under the BSD-3-clause licence
*/
import Operation from "../Operation.mjs";
import OperationError from "../errors/OperationError.mjs";
import Utils from "../Utils.mjs";
import Stream from "../lib/Stream.mjs";
import {runHash} from "../lib/Hash.mjs";
/**
* JA3 Fingerprint operation
*/
class JA3Fingerprint extends Operation {
/**
* JA3Fingerprint constructor
*/
constructor() {
super();
this.name = "JA3 Fingerprint";
this.module = "Crypto";
this.description = "Generates a JA3 fingerprint to help identify TLS clients based on hashing together values from the Client Hello.<br><br>Input: A hex stream of the TLS Client Hello packet application layer.";
this.infoURL = "https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967";
this.inputType = "string";
this.outputType = "string";
this.args = [
{
name: "Input format",
type: "option",
value: ["Hex", "Base64", "Raw"]
},
{
name: "Output format",
type: "option",
value: ["Hash digest", "JA3 string", "Full details"]
}
];
}
/**
* @param {string} input
* @param {Object[]} args
* @returns {string}
*/
run(input, args) {
const [inputFormat, outputFormat] = args;
input = Utils.convertToByteArray(input, inputFormat);
const s = new Stream(new Uint8Array(input));
const handshake = s.readInt(1);
if (handshake !== 0x16)
throw new OperationError("Not handshake data.");
// Version
s.moveForwardsBy(2);
// Length
const length = s.readInt(2);
if (s.length !== length + 5)
throw new OperationError("Incorrect handshake length.");
// Handshake type
const handshakeType = s.readInt(1);
if (handshakeType !== 1)
throw new OperationError("Not a Client Hello.");
// Handshake length
const handshakeLength = s.readInt(3);
if (s.length !== handshakeLength + 9)
throw new OperationError("Not enough data in Client Hello.");
// Hello version
const helloVersion = s.readInt(2);
// Random
s.moveForwardsBy(32);
// Session ID
const sessionIDLength = s.readInt(1);
s.moveForwardsBy(sessionIDLength);
// Cipher suites
const cipherSuitesLength = s.readInt(2);
const cipherSuites = s.getBytes(cipherSuitesLength);
const cs = new Stream(cipherSuites);
const cipherSegment = parseJA3Segment(cs, 2);
// Compression Methods
const compressionMethodsLength = s.readInt(1);
s.moveForwardsBy(compressionMethodsLength);
// Extensions
const extensionsLength = s.readInt(2);
const extensions = s.getBytes(extensionsLength);
const es = new Stream(extensions);
let ecsLen, ecs, ellipticCurves = "", ellipticCurvePointFormats = "";
const exts = [];
while (es.hasMore()) {
const type = es.readInt(2);
const length = es.readInt(2);
switch (type) {
case 0x0a: // Elliptic curves
ecsLen = es.readInt(2);
ecs = new Stream(es.getBytes(ecsLen));
ellipticCurves = parseJA3Segment(ecs, 2);
break;
case 0x0b: // Elliptic curve point formats
ecsLen = es.readInt(1);
ecs = new Stream(es.getBytes(ecsLen));
ellipticCurvePointFormats = parseJA3Segment(ecs, 1);
break;
default:
es.moveForwardsBy(length);
}
if (!GREASE_CIPHERSUITES.includes(type))
exts.push(type);
}
// Output
const ja3 = [
helloVersion.toString(),
cipherSegment,
exts.join("-"),
ellipticCurves,
ellipticCurvePointFormats
];
const ja3Str = ja3.join(",");
const ja3Hash = runHash("md5", Utils.strToArrayBuffer(ja3Str));
switch (outputFormat) {
case "JA3 string":
return ja3Str;
case "Full details":
return `Hash digest:
${ja3Hash}
Full JA3 string:
${ja3Str}
TLS Version:
${helloVersion.toString()}
Cipher Suites:
${cipherSegment}
Extensions:
${exts.join("-")}
Elliptic Curves:
${ellipticCurves}
Elliptic Curve Point Formats:
${ellipticCurvePointFormats}`;
case "Hash digest":
default:
return ja3Hash;
}
}
}
/**
* Parses a JA3 segment, returning a "-" separated list
*
* @param {Stream} stream
* @returns {string}
*/
function parseJA3Segment(stream, size=2) {
const segment = [];
while (stream.hasMore()) {
const element = stream.readInt(size);
if (!GREASE_CIPHERSUITES.includes(element))
segment.push(element);
}
return segment.join("-");
}
const GREASE_CIPHERSUITES = [
0x0a0a,
0x1a1a,
0x2a2a,
0x3a3a,
0x4a4a,
0x5a5a,
0x6a6a,
0x7a7a,
0x8a8a,
0x9a9a,
0xaaaa,
0xbaba,
0xcaca,
0xdada,
0xeaea,
0xfafa
];
export default JA3Fingerprint;

145
src/core/operations/JA3SFingerprint.mjs Normal file
View File

@ -0,0 +1,145 @@
/**
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*
* JA3S created by Salesforce
* John B. Althouse
* Jeff Atkinson
* Josh Atkins
*
* Algorithm released under the BSD-3-clause licence
*/
import Operation from "../Operation.mjs";
import OperationError from "../errors/OperationError.mjs";
import Utils from "../Utils.mjs";
import Stream from "../lib/Stream.mjs";
import {runHash} from "../lib/Hash.mjs";
/**
* JA3S Fingerprint operation
*/
class JA3SFingerprint extends Operation {
/**
* JA3SFingerprint constructor
*/
constructor() {
super();
this.name = "JA3S Fingerprint";
this.module = "Crypto";
this.description = "Generates a JA3S fingerprint to help identify TLS servers based on hashing together values from the Server Hello.<br><br>Input: A hex stream of the TLS Server Hello record application layer.";
this.infoURL = "https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967";
this.inputType = "string";
this.outputType = "string";
this.args = [
{
name: "Input format",
type: "option",
value: ["Hex", "Base64", "Raw"]
},
{
name: "Output format",
type: "option",
value: ["Hash digest", "JA3S string", "Full details"]
}
];
}
/**
* @param {string} input
* @param {Object[]} args
* @returns {string}
*/
run(input, args) {
const [inputFormat, outputFormat] = args;
input = Utils.convertToByteArray(input, inputFormat);
const s = new Stream(new Uint8Array(input));
const handshake = s.readInt(1);
if (handshake !== 0x16)
throw new OperationError("Not handshake data.");
// Version
s.moveForwardsBy(2);
// Length
const length = s.readInt(2);
if (s.length !== length + 5)
throw new OperationError("Incorrect handshake length.");
// Handshake type
const handshakeType = s.readInt(1);
if (handshakeType !== 2)
throw new OperationError("Not a Server Hello.");
// Handshake length
const handshakeLength = s.readInt(3);
if (s.length !== handshakeLength + 9)
throw new OperationError("Not enough data in Server Hello.");
// Hello version
const helloVersion = s.readInt(2);
// Random
s.moveForwardsBy(32);
// Session ID
const sessionIDLength = s.readInt(1);
s.moveForwardsBy(sessionIDLength);
// Cipher suite
const cipherSuite = s.readInt(2);
// Compression Method
s.moveForwardsBy(1);
// Extensions
const extensionsLength = s.readInt(2);
const extensions = s.getBytes(extensionsLength);
const es = new Stream(extensions);
const exts = [];
while (es.hasMore()) {
const type = es.readInt(2);
const length = es.readInt(2);
es.moveForwardsBy(length);
exts.push(type);
}
// Output
const ja3s = [
helloVersion.toString(),
cipherSuite,
exts.join("-")
];
const ja3sStr = ja3s.join(",");
const ja3sHash = runHash("md5", Utils.strToArrayBuffer(ja3sStr));
switch (outputFormat) {
case "JA3S string":
return ja3sStr;
case "Full details":
return `Hash digest:
${ja3sHash}
Full JA3S string:
${ja3sStr}
TLS Version:
${helloVersion.toString()}
Cipher Suite:
${cipherSuite}
Extensions:
${exts.join("-")}`;
case "Hash digest":
default:
return ja3sHash;
}
}
}
export default JA3SFingerprint;

26
src/core/operations/ProtobufDecode.mjs
View File

@ -20,12 +20,30 @@ class ProtobufDecode extends Operation {
super();
this.name = "Protobuf Decode";
this.module = "Default";
this.description = "Decodes any Protobuf encoded data to a JSON representation of the data using the field number as the field key.";
this.module = "Protobuf";
this.description = "Decodes any Protobuf encoded data to a JSON representation of the data using the field number as the field key.<br><br>If a .proto schema is defined, the encoded data will be decoded with reference to the schema. Only one message instance will be decoded. <br><br><u>Show Unknown Fields</u><br>When a schema is used, this option shows fields that are present in the input data but not defined in the schema.<br><br><u>Show Types</u><br>Show the type of a field next to its name. For undefined fields, the wiretype and example types are shown instead.";
this.infoURL = "https://wikipedia.org/wiki/Protocol_Buffers";
this.inputType = "ArrayBuffer";
this.outputType = "JSON";
this.args = [];
this.args = [
{
name: "Schema (.proto text)",
type: "text",
value: "",
rows: 8,
hint: "Drag and drop is enabled on this ingredient"
},
{
name: "Show Unknown Fields",
type: "boolean",
value: false
},
{
name: "Show Types",
type: "boolean",
value: false
}
];
}
/**
@ -36,7 +54,7 @@ class ProtobufDecode extends Operation {
run(input, args) {
input = new Uint8Array(input);
try {
return Protobuf.decode(input);
return Protobuf.decode(input, args);
} catch (err) {
throw new OperationError(err);
}

54
src/core/operations/ProtobufEncode.mjs Normal file
View File

@ -0,0 +1,54 @@
/**
* @author GCHQ Contributor [3]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*/
import Operation from "../Operation.mjs";
import OperationError from "../errors/OperationError.mjs";
import Protobuf from "../lib/Protobuf.mjs";
/**
* Protobuf Encode operation
*/
class ProtobufEncode extends Operation {
/**
* ProtobufEncode constructor
*/
constructor() {
super();
this.name = "Protobuf Encode";
this.module = "Protobuf";
this.description = "Encodes a valid JSON object into a protobuf byte array using the input .proto schema.";
this.infoURL = "https://developers.google.com/protocol-buffers/docs/encoding";
this.inputType = "JSON";
this.outputType = "ArrayBuffer";
this.args = [
{
name: "Schema (.proto text)",
type: "text",
value: "",
rows: 8,
hint: "Drag and drop is enabled on this ingredient"
}
];
}
/**
* @param {Object} input
* @param {Object[]} args
* @returns {ArrayBuffer}
*/
run(input, args) {
try {
return Protobuf.encode(input, args);
} catch (error) {
throw new OperationError(error);
}
}
}
export default ProtobufEncode;

4
tests/operations/index.mjs
View File

@ -105,6 +105,10 @@ import "./tests/RSA.mjs";
import "./tests/CBOREncode.mjs";
import "./tests/CBORDecode.mjs";
import "./tests/ExtractBitcoinAddresses.mjs";
import "./tests/JA3Fingerprint.mjs";
import "./tests/JA3SFingerprint.mjs";
import "./tests/HASSH.mjs";
// Cannot test operations that use the File type yet

33
tests/operations/tests/HASSH.mjs Normal file
View File

@ -0,0 +1,33 @@
/**
* HASSH tests.
*
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*/
import TestRegister from "../../lib/TestRegister.mjs";
TestRegister.addTests([
{
name: "HASSH Client Fingerprint",
input: "000003140814c639665f5425dcb80bf9f0a048380a410000007e6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d7368613235362c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d736861310000000f7373682d7273612c7373682d6473730000009d6165733132382d6374722c6165733139322d6374722c6165733235362d6374722c617263666f75723235362c617263666f75723132382c6165733132382d6362632c336465732d6362632c626c6f77666973682d6362632c636173743132382d6362632c6165733139322d6362632c6165733235362d6362632c617263666f75722c72696a6e6461656c2d636263406c797361746f722e6c69752e73650000009d6165733132382d6374722c6165733139322d6374722c6165733235362d6374722c617263666f75723235362c617263666f75723132382c6165733132382d6362632c336465732d6362632c626c6f77666973682d6362632c636173743132382d6362632c6165733139322d6362632c6165733235362d6362632c617263666f75722c72696a6e6461656c2d636263406c797361746f722e6c69752e736500000069686d61632d6d64352c686d61632d736861312c756d61632d3634406f70656e7373682e636f6d2c686d61632d726970656d643136302c686d61632d726970656d64313630406f70656e7373682e636f6d2c686d61632d736861312d39362c686d61632d6d64352d393600000069686d61632d6d64352c686d61632d736861312c756d61632d3634406f70656e7373682e636f6d2c686d61632d726970656d643136302c686d61632d726970656d64313630406f70656e7373682e636f6d2c686d61632d736861312d39362c686d61632d6d64352d39360000001a6e6f6e652c7a6c6962406f70656e7373682e636f6d2c7a6c69620000001a6e6f6e652c7a6c6962406f70656e7373682e636f6d2c7a6c6962000000000000000000000000000000000000000000",
expectedOutput: "21b457a327ce7a2d4fce5ef2c42400bd",
recipeConfig: [
{
"op": "HASSH Client Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
{
name: "HASSH Server Fingerprint",
input: "0000027c0b142c7bb93a1da21c9e54f5862e60a5597c000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d736861310000000f7373682d7273612c7373682d647373000000876165733132382d6362632c336465732d6362632c626c6f77666973682d6362632c636173743132382d6362632c617263666f75722c6165733139322d6362632c6165733235362d6362632c72696a6e6461656c2d636263406c797361746f722e6c69752e73652c6165733132382d6374722c6165733139322d6374722c6165733235362d637472000000876165733132382d6362632c336465732d6362632c626c6f77666973682d6362632c636173743132382d6362632c617263666f75722c6165733139322d6362632c6165733235362d6362632c72696a6e6461656c2d636263406c797361746f722e6c69752e73652c6165733132382d6374722c6165733139322d6374722c6165733235362d63747200000055686d61632d6d64352c686d61632d736861312c686d61632d726970656d643136302c686d61632d726970656d64313630406f70656e7373682e636f6d2c686d61632d736861312d39362c686d61632d6d64352d393600000055686d61632d6d64352c686d61632d736861312c686d61632d726970656d643136302c686d61632d726970656d64313630406f70656e7373682e636f6d2c686d61632d736861312d39362c686d61632d6d64352d3936000000096e6f6e652c7a6c6962000000096e6f6e652c7a6c6962000000000000000000000000000000000000000000000000",
expectedOutput: "f430cd6761697a6a658ee1d45ed22e49",
recipeConfig: [
{
"op": "HASSH Server Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
}
]);

55
tests/operations/tests/JA3Fingerprint.mjs Normal file
View File

@ -0,0 +1,55 @@
/**
* JA3Fingerprint tests.
*
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*/
import TestRegister from "../../lib/TestRegister.mjs";
TestRegister.addTests([
{
name: "JA3 Fingerprint: TLS 1.0",
input: "16030100a4010000a00301543dd2dd48f517ca9a93b1e599f019fdece704a23e86c1dcac588427abbaddf200005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff0100001b000b000403000102000a000600040018001700230000000f000101",
expectedOutput: "503053a0c5b2bd9b9334bf7f3d3b8852",
recipeConfig: [
{
"op": "JA3 Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
{
name: "JA3 Fingerprint: TLS 1.1",
input: "16030100a4010000a00302543dd2ed907e47d0086f34bee2c52dd6ccd8de63ba9387f5e810b09d9d49b38000005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff0100001b000b000403000102000a000600040018001700230000000f000101",
expectedOutput: "a314eb64cee6cb832aaaa372c8295bab",
recipeConfig: [
{
"op": "JA3 Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
{
name: "JA3 Fingerprint: TLS 1.2",
input: "1603010102010000fe0303543dd3283283692d85f9416b5ccc65d2aafca45c6530b3c6eafbf6d371b6a015000094c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c00800160013c00dc003000ac02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000041000b000403000102000a000600040018001700230000000d002200200601060206030501050205030401040204030301030203030201020202030101000f000101",
expectedOutput: "c1a36e1a870786cc75edddc0009eaf3a",
recipeConfig: [
{
"op": "JA3 Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
{
name: "JA3 Fingerprint: TLS 1.3",
input: "1603010200010001fc03034355d402c132771a9386b6e9994ae37069e0621af504c26673b1343843c21d8d0000264a4a130113021303c02bc02fc02cc030cca9cca8cc14cc13c013c014009c009d002f0035000a010001addada0000ff01000100000000180016000013626c6f672e636c6f7564666c6172652e636f6d0017000000230000000d00140012040308040401050308050501080606010201000500050100000000001200000010000e000c02683208687474702f312e3175500000000b000201000028002b00295a5a000100001d0020cf78b9167af054b922a96752b43973107b2a57766357dd288b2b42ab5df30e08002d00020101002b000b0acaca7f12030303020301000a000a00085a5a001d001700180a0a000100001500e4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
expectedOutput: "4826a90ec2daf4f7b4b64cc1c8bd343b",
recipeConfig: [
{
"op": "JA3 Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
]);

57
tests/operations/tests/JA3SFingerprint.mjs Normal file
View File

@ -0,0 +1,57 @@
/**
* JA3SFingerprint tests.
*
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2021
* @license Apache-2.0
*/
import TestRegister from "../../lib/TestRegister.mjs";
TestRegister.addTests([
{
name: "JA3S Fingerprint: TLS 1.0",
input: "160301003d020000390301543dd2ddedbfe33895bd6bc676a3fa6b9fe5773a6e04d5476d1af3bcbc1dcbbb00c011000011ff01000100000b00040300010200230000",
expectedOutput: "bed95e1b525d2f41db3a6d68fac5b566",
recipeConfig: [
{
"op": "JA3S Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
{
name: "JA3S Fingerprint: TLS 1.1",
input: "160302003d020000390302543dd2ed88131999a0120d36c14a4139671d75aae3d7d7779081d3cf7dd7725a00c013000011ff01000100000b00040300010200230000",
expectedOutput: "130fac2dc19b142500acb0abc63b6379",
recipeConfig: [
{
"op": "JA3S Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
{
name: "JA3S Fingerprint: TLS 1.2",
input: "160303003d020000390303543dd328b38b445686739d58fab733fa23838f575e0e5ad9a1b9baace6cc3b4100c02f000011ff01000100000b00040300010200230000",
expectedOutput: "ccc514751b175866924439bdbb5bba34",
recipeConfig: [
{
"op": "JA3S Fingerprint",
"args": ["Hex", "Hash digest"]
}
],
},
// This Server Hello was based on draft 18 of the TLS1.3 spec which does not include a Session ID field, leading it to fail.
// The published version of TLS1.3 does require a legacy Session ID field (even if it is empty).
// {
// name: "JA3S Fingerprint: TLS 1.3",
// input: "16030100520200004e7f123ef1609fd3f4fa8668aac5822d500fb0639b22671d0fb7258597355795511bf61301002800280024001d0020ae0e282a3b7a463e71064ecbaf671586e979b0edbebf7a4735c31678c70f660c",
// expectedOutput: "986ae432c402479fe7a0c6fbe02164c1",
// recipeConfig: [
// {
// "op": "JA3S Fingerprint",
// "args": ["Hex", "Hash digest"]
// }
// ],
// },
]);

276
tests/operations/tests/Protobuf.mjs
View File

@ -10,10 +10,10 @@ import TestRegister from "../../lib/TestRegister.mjs";
TestRegister.addTests([
{
name: "Protobuf Decode",
name: "Protobuf Decode: no schema",
input: "0d1c0000001203596f751a024d65202b2a0a0a066162633132331200",
expectedOutput: JSON.stringify({
"1": 469762048,
"1": 28,
"2": "You",
"3": "Me",
"4": 43,
@ -29,7 +29,277 @@ TestRegister.addTests([
},
{
"op": "Protobuf Decode",
"args": []
"args": ["", false, false]
}
]
},
{
name: "Protobuf Decode: partial schema, no unknown fields",
input: "0d1c0000001203596f751a024d65202b2a0a0a066162633132331200",
expectedOutput: JSON.stringify({
"Apple": [
28
],
"Banana": "You",
"Carrot": [
"Me"
]
}, null, 4),
recipeConfig: [
{
"op": "From Hex",
"args": ["Auto"]
},
{
"op": "Protobuf Decode",
"args": [
`message Test {
repeated fixed32 Apple = 1;
optional string Banana = 2;
repeated string Carrot = 3;
}`,
false,
false
]
}
]
},
{
name: "Protobuf Decode: partial schema, show unknown fields",
input: "0d1c0000001203596f751a024d65202b2a0a0a066162633132331200",
expectedOutput: JSON.stringify({
"Test": {
"Apple": [
28
],
"Banana": "You",
"Carrot": [
"Me"
]
},
"Unknown Fields": {
"4": 43,
"5": {
"1": "abc123",
"2": {}
}
}
}, null, 4),
recipeConfig: [
{
"op": "From Hex",
"args": ["Auto"]
},
{
"op": "Protobuf Decode",
"args": [
`message Test {
repeated fixed32 Apple = 1;
optional string Banana = 2;
repeated string Carrot = 3;
}`,
true,
false
]
}
]
},
{
name: "Protobuf Decode: full schema, no unknown fields",
input: "0d1c0000001203596f751a024d65202b2a0a0a06616263313233120031ff00000000000000",
expectedOutput: JSON.stringify({
"Apple": [
28
],
"Banana": "You",
"Carrot": [
"Me"
],
"Date": 43,
"Elderberry": {
"Fig": "abc123",
"Grape": {}
},
"Huckleberry": 255
}, null, 4),
recipeConfig: [
{
"op": "From Hex",
"args": ["Auto"]
},
{
"op": "Protobuf Decode",
"args": [
`message Test {
repeated fixed32 Apple = 1;
optional string Banana = 2;
repeated string Carrot = 3;
optional int32 Date = 4;
optional subTest Elderberry = 5;
optional fixed64 Huckleberry = 6;
}
message subTest {
optional string Fig = 1;
optional subSubTest Grape = 2;
}
message subSubTest {}`,
false,
false
]
}
]
},
{
name: "Protobuf Decode: partial schema, show unknown fields, show types",
input: "0d1c0000001203596f751a024d65202b2a0a0a06616263313233120031ba32a96cc10200003801",
expectedOutput: JSON.stringify({
"Test": {
"Banana (string)": "You",
"Carrot (string)": [
"Me"
],
"Date (int32)": 43,
"Imbe (Options)": "Option1"
},
"Unknown Fields": {
"field #1: 32-Bit (e.g. fixed32, float)": 28,
"field #5: L-delim (e.g. string, message)": {
"field #1: L-delim (e.g. string, message)": "abc123",
"field #2: L-delim (e.g. string, message)": {}
},
"field #6: 64-Bit (e.g. fixed64, double)": 3029774971578
}
}, null, 4),
recipeConfig: [
{
"op": "From Hex",
"args": ["Auto"]
},
{
"op": "Protobuf Decode",
"args": [
`message Test {
optional string Banana = 2;
repeated string Carrot = 3;
optional int32 Date = 4;
optional Options Imbe = 7;
}
message subTest {
optional string Fig = 1;
optional subSubTest Grape = 2;
}
message subSubTest {}
enum Options {
Option0 = 0;
Option1 = 1;
Option2 = 2;
}`,
true,
true
]
}
]
},
{
name: "Protobuf Encode",
input: JSON.stringify({
"Apple": [
28
],
"Banana": "You",
"Carrot": [
"Me"
],
"Date": 43,
"Elderberry": {
"Fig": "abc123",
"Grape": {}
},
"Huckleberry": [3029774971578],
"Imbe": 1
}, null, 4),
expectedOutput: "0d1c0000001203596f751a024d65202b2a0a0a06616263313233120031ba32a96cc10200003801",
recipeConfig: [
{
"op": "Protobuf Encode",
"args": [
`message Test {
repeated fixed32 Apple = 1;
optional string Banana = 2;
repeated string Carrot = 3;
optional int32 Date = 4;
optional subTest Elderberry = 5;
repeated fixed64 Huckleberry = 6;
optional Options Imbe = 7;
}
message subTest {
optional string Fig = 1;
optional subSubTest Grape = 2;
}
message subSubTest {}
enum Options {
Option0 = 0;
Option1 = 1;
Option2 = 2;
}`
]
},
{
"op": "To Hex",
"args": [
"None",
0
]
}
]
},
{
name: "Protobuf Encode: incomplete schema",
input: JSON.stringify({
"Apple": [
28
],
"Banana": "You",
"Carrot": [
"Me"
],
"Date": 43,
"Elderberry": {
"Fig": "abc123",
"Grape": {}
},
"Huckleberry": [3029774971578],
"Imbe": 1
}, null, 4),
expectedOutput: "1203596f75202b2a0a0a06616263313233120031ba32a96cc1020000",
recipeConfig: [
{
"op": "Protobuf Encode",
"args": [
`message Test {
optional string Banana = 2;
optional int32 Date = 4;
optional subTest Elderberry = 5;
repeated fixed64 Huckleberry = 6;
}
message subTest {
optional string Fig = 1;
optional subSubTest Grape = 2;
}
message subSubTest {}
enum Options {
Option0 = 0;
Option1 = 1;
Option2 = 2;
}`
]
},
{
"op": "To Hex",
"args": [
"None",
0
]
}
]
},