Skip to content

Instantly share code, notes, and snippets.

🤘
🤘🏻

leE LeeBrotherston

🤘
🤘🏻
Block or report user

Report or block LeeBrotherston

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View All the fun links from Lee's IoT talk
@LeeBrotherston
LeeBrotherston / version-control-your-bash-rc-file-with-gist.md
Created Feb 26, 2018 — forked from Ashwinning/version-control-your-bash-rc-file-with-gist.md
Version control your `.bashrc` file (or any other file) with Github Gist #gistblog #ubuntu #bash
View version-control-your-bash-rc-file-with-gist.md

Version control your .bashrc file with Github Gist

Install Gist on your machine

If you have ruby installed (how to install ruby):

sudo gem install gist

‌If you're using Bundler:

View local.rules
alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 03|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 30|"; distance: 0; rawbytes; content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2;
View gist:5cca4b372277d7c6a049b26f87544351
Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection. However....
The TLS Fingerprints do show us which libraries are probably used by the application
{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" }
{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" }
{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": "
@LeeBrotherston
LeeBrotherston / gist:1a0ae1aedd968af1fce3
Created Mar 13, 2016
Importing a new signature to FingerPrinTLS
View gist:1a0ae1aedd968af1fce3
1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic,
assuming current version from git use '-j' to specify a location to save fingerprints
and '-l' for log location:
sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json
or
sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json
@LeeBrotherston
LeeBrotherston / gist:92cc2637f33468485b8f
Created Feb 21, 2016
Detect TLS Client Hello in many things using a BPF
View gist:92cc2637f33468485b8f
Match TLS Client Hello packets with a BPF:
IPv4 + TCP: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3))
IPv6 + TCP: (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3))
Teredo
(IPv6 + TCP over IPv4 + UDP): ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3)))
6in4 (IPv6 + TCP over IPv4): (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3)
Complete: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and
@LeeBrotherston
LeeBrotherston / gist:f5ab566d77e114f85692
Created Sep 18, 2015
Stealthier Attacks and Smarter Defending With TLS Fingerprinting
View gist:f5ab566d77e114f85692
Ever been busted because you attempted to man in the middle software (which does TLS properly) and it
alerted someone to your bad certificate? No more! Want to detect certain types of connections leaving
your network, but can’t keep the IP blacklist up to date? This could be the answer.
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what
TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several
scenarios, and a discussion of implications and pitfalls.
TLS provides transport security to all manner of connections from legitimate financial transactions to
private conversations and malware calling home. The inability to analyse encrypted traffic protects its
@LeeBrotherston
LeeBrotherston / gist:80de22f7b44678f729bc
Last active Aug 29, 2015
Stealthier Attacks and Smarter Defending With TLS Fingerprinting
View gist:80de22f7b44678f729bc
Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad
certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up
to date? This could be the answer.
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints
contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of
implications and pitfalls.
TLS provides transport security to all manner of connections from legitimate financial transactions to private
conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are
@LeeBrotherston
LeeBrotherston / interception_snort_rule_0
Last active Aug 29, 2015
Snort Rule - Suspected TCP Injection
View interception_snort_rule_0
A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others.
It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this.
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
View gist:7367881b53ebc8ea0192
URLs:
-----
SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/
Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
Contact:
--------
Twitter: @synackpse
email: lee@squarelemon.com
You can’t perform that action at this time.