Fatt: Network Metadata & Fingerprint Extractor


Fatt: Network Metadata & Fingerprint Extractor

Introduction

Fatt is a script that relies on pyshark in carrying out network metadata extraction and acquisition of network fingerprints. This tool can be used to obtain data from a network traffic in real-time or from the available pcap (packet capture files). With this script, you can fingerprint almost everything within a given network traffic.

Fatt: Extracting Network Metadata & Fingerprints

Fatt [Fingerprint All The Things]: Network Fingerprint Extractor

As a network utility tool, Fatt can be used in performing network forensic procedures but its main case-use is to monitor honeypots. When obtaining data from a packet capture file it can be effective in acquiring HASSH and JA3 fingerprints. Fatt supports a number of network protocols such as HTTP, SSH, gQUIC, SSL/TLS, and RDP, which makes it very effective in executing network-based analysis operations. It has the ability to execute threat hunting procedures within a network system. The auxiliary Metasploit scanner is specifically useful in detecting potential security vulnerabilities within an RDP protocol.

Fatt can also be used to decode data from specific ports into other protocols. A given packet of data from network traffic can be decoded into TLS allowing you to have a view of the available JA3 fingerprint and also the TLS clientHello.

Fatt’s dependency on pyshark limits it in terms of performance as it cannot be used to accomplish serious network use cases. The developer is currently working on a better version which will be a bit faster than the current version. Before the new version is released it is recommended that you use other network analysis tools in handling the serious cases.

Features:

  • Supports Multiple Protocols: SSL/TLS, HTTP, SSH, gQUIC, RDP
  • Multiple fingerprint methods
  • Has JSON output

Supported Platforms:

  • Linux, Windows, OS X

Dependencies

Available Fingerprinting methods:

  • JA3: TLS client or server fingerprint
  • HTTP heading fingerprint
  • HASSH: SSH client or server fingerprint
  • Soon to be added gQUIC/iQUIC fingerprint
  • RDFP(still under experiment for standard RDP protocol only, the remaining RDP modes rely on TLS which makes it easy to use JA3 in fingerprinting)

Fatt Install

Clone the Fatt repo:

$ git clone https://github.com/0x4D31/fatt.git

To install dependencies run:

$ cd fatt/
$ pip3 install pipenv
$ pipenv install

Or the following if you don’t want to use VE:

$ pip3 install pyshark==0.4.2.2

To activate the VE, run the following command:

$ pipenv shell
$ Launching subshell in virtual environment…

Basic Usage

To list available options, use -h:

$ pipenv run python3 fatt.py -h
usage: fatt.py [-h] [-r READ_FILE] [-d READ_DIRECTORY] [-i INTERFACE]
               [-fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]]
               [-da DECODE_AS] [-f BPF_FILTER] [-j] [-o OUTPUT_FILE]
               [-w WRITE_PCAP] [-p]

A python script for extracting network fingerprints

optional arguments:
  -h, --help            show this help message and exit
  -r READ_FILE, --read_file READ_FILE
                        pcap file to process
  -d READ_DIRECTORY, --read_directory READ_DIRECTORY
                        directory of pcap files to process
  -i INTERFACE, --interface INTERFACE
                        listen on interface
  -fp [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]], --fingerprint [{tls,ssh,rdp,http,gquic} [{tls,ssh,rdp,http,gquic} ...]]
                        protocols to fingerprint. Default: all
  -da DECODE_AS, --decode_as DECODE_AS
                        a dictionary of {decode_criterion_string:
                        decode_as_protocol} that is used to tell tshark to
                        decode protocols in situations it wouldn't usually.
  -f BPF_FILTER, --bpf_filter BPF_FILTER
                        BPF capture filter to use (for live capture only).'
  -j, --json_logging    log the output in json format
  -o OUTPUT_FILE, --output_file OUTPUT_FILE
                        specify the output log file. Default: fatt.log
  -w WRITE_PCAP, --write_pcap WRITE_PCAP
                        save the live captured packets to this file
  -p, --print_output    print the output
Documentation Box
Download Box