I hereby claim:
- I am leebrotherston on github.
- I am lee (https://keybase.io/lee) on keybase.
- I have a public key whose fingerprint is C110 4776 8997 2E64 A7B5 793E D04D 4922 FBAE 8F3B
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
URLs: | |
----- | |
SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/ | |
Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ | |
Contact: | |
-------- | |
Twitter: @synackpse | |
email: lee@squarelemon.com |
A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others. | |
It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this. | |
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad | |
certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up | |
to date? This could be the answer. | |
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints | |
contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of | |
implications and pitfalls. | |
TLS provides transport security to all manner of connections from legitimate financial transactions to private | |
conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are |
Ever been busted because you attempted to man in the middle software (which does TLS properly) and it | |
alerted someone to your bad certificate? No more! Want to detect certain types of connections leaving | |
your network, but can’t keep the IP blacklist up to date? This could be the answer. | |
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what | |
TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several | |
scenarios, and a discussion of implications and pitfalls. | |
TLS provides transport security to all manner of connections from legitimate financial transactions to | |
private conversations and malware calling home. The inability to analyse encrypted traffic protects its |
Match TLS Client Hello packets with a BPF: | |
IPv4 + TCP: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) | |
IPv6 + TCP: (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) | |
Teredo | |
(IPv6 + TCP over IPv4 + UDP): ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) | |
6in4 (IPv6 + TCP over IPv4): (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3) | |
Complete: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and |
1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic, | |
assuming current version from git use '-j' to specify a location to save fingerprints | |
and '-l' for log location: | |
sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json | |
or | |
sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json | |
Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection. However.... | |
The TLS Fingerprints do show us which libraries are probably used by the application | |
{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" } | |
{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" } | |
{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": " |
alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 03|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 30|"; distance: 0; rawbytes; content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; |
If you have ruby installed (how to install ruby):
sudo gem install gist
If you're using Bundler: