I hereby claim:
- I am leebrotherston on github.
- I am lee (https://keybase.io/lee) on keybase.
- I have a public key whose fingerprint is C110 4776 8997 2E64 A7B5 793E D04D 4922 FBAE 8F3B
To claim this, I am signing this object:
leE LeeBrotherston
🤘
LeeBrotherston
/ keybase.md
Last active
August 29, 2015 13:57
LeeBrotherston
/ gist:7367881b53ebc8ea0192
Created
November 24, 2014 04:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| URLs: | |
| ----- | |
| SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/ | |
| Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ | |
| Contact: | |
| -------- | |
| Twitter: @synackpse | |
| email: lee@squarelemon.com |
LeeBrotherston
/ interception_snort_rule_0
Last active
August 29, 2015 14:12
Snort Rule - Suspected TCP Injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others. | |
| It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this. | |
| For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
LeeBrotherston
/ gist:80de22f7b44678f729bc
Last active
August 29, 2015 14:25
Stealthier Attacks and Smarter Defending With TLS Fingerprinting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad | |
| certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up | |
| to date? This could be the answer. | |
| This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints | |
| contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of | |
| implications and pitfalls. | |
| TLS provides transport security to all manner of connections from legitimate financial transactions to private | |
| conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are |
LeeBrotherston
/ gist:f5ab566d77e114f85692
Created
September 18, 2015 20:48
Stealthier Attacks and Smarter Defending With TLS Fingerprinting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ever been busted because you attempted to man in the middle software (which does TLS properly) and it | |
| alerted someone to your bad certificate? No more! Want to detect certain types of connections leaving | |
| your network, but can’t keep the IP blacklist up to date? This could be the answer. | |
| This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what | |
| TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several | |
| scenarios, and a discussion of implications and pitfalls. | |
| TLS provides transport security to all manner of connections from legitimate financial transactions to | |
| private conversations and malware calling home. The inability to analyse encrypted traffic protects its |
LeeBrotherston
/ gist:92cc2637f33468485b8f
Created
February 21, 2016 05:38
Detect TLS Client Hello in many things using a BPF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Match TLS Client Hello packets with a BPF: | |
| IPv4 + TCP: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) | |
| IPv6 + TCP: (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) | |
| Teredo | |
| (IPv6 + TCP over IPv4 + UDP): ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) | |
| 6in4 (IPv6 + TCP over IPv4): (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3) | |
| Complete: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and |
LeeBrotherston
/ gist:1a0ae1aedd968af1fce3
Created
March 13, 2016 17:48
Importing a new signature to FingerPrinTLS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic, | |
| assuming current version from git use '-j' to specify a location to save fingerprints | |
| and '-l' for log location: | |
| sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json | |
| or | |
| sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json | |
LeeBrotherston
/ gist:5cca4b372277d7c6a049b26f87544351
Created
July 12, 2016 13:14
PokemonGo TLS Handshake
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection. However.... | |
| The TLS Fingerprints do show us which libraries are probably used by the application | |
| { "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" } | |
| { "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" } | |
| { "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": " |
LeeBrotherston
/ local.rules
Created
June 7, 2017 23:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;) | |
| alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;) | |
| alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
| alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
| alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 03|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 30|"; distance: 0; rawbytes; content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; |
LeeBrotherston
/ version-control-your-bash-rc-file-with-gist.md
Created
February 26, 2018 20:57
— forked from Ashwinning/version-control-your-bash-rc-file-with-gist.md
Version control your `.bashrc` file (or any other file) with Github Gist #gistblog #ubuntu #bash
If you have ruby installed (how to install ruby):
sudo gem install gistIf you're using Bundler:
OlderNewer