leE LeeBrotherston

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                LeeBrotherston
                / keybase.md
            
            
              Last active
              August 29, 2015 13:57
            
          
    Keybase proof

I hereby claim:

I am leebrotherston on github.
I am lee (https://keybase.io/lee) on keybase.
I have a public key whose fingerprint is C110 4776 8997 2E64 A7B5  793E D04D 4922 FBAE 8F3B

To claim this, I am signing this object:

  
## gist:7367881b53ebc8ea0192
URLs:
-----
SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/
Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/

Contact:
--------
Twitter: @synackpse
email: lee@squarelemon.com

## interception_snort_rule_0
A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others.

It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this.

For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/

## gist:80de22f7b44678f729bc
Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad
certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up
to date? This could be the answer.

This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints
contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of
implications and pitfalls.

TLS provides transport security to all manner of connections from legitimate financial transactions to private
conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are

## gist:f5ab566d77e114f85692
Ever been busted because you attempted to man in the middle software (which does TLS properly) and it
alerted someone to your bad certificate? No more!  Want to detect certain types of connections leaving
your network, but can’t keep the IP blacklist up to date? This could be the answer.

This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what
TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several
scenarios, and a discussion of implications and pitfalls.

TLS provides transport security to all manner of connections from legitimate financial transactions to
private conversations and malware calling home. The inability to analyse encrypted traffic protects its

## gist:1a0ae1aedd968af1fce3
1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic,
    assuming current version from git use '-j' to specify a location to save fingerprints
    and '-l' for log location:

    sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json

    or

    sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json


## gist:5cca4b372277d7c6a049b26f87544351
Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection.  However....

The TLS Fingerprints do show us which libraries are probably used by the application

{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" }
{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" }
{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": "

## local.rules
alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)";  content: "|16 03 01|"; offset: 0; depth: 3; rawbytes;  content: "|01|"; distance: 1; rawbytes;  content: "|03 03|"; distance: 3; rawbytes;  byte_jump: 1,43,align;  content: "|00 30|"; distance: 0; rawbytes;  content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes;  content: "|01 00|"; distance: 0; rawbytes;  content: "|00 00|"; rawbytes; distance: 2;

## All the fun links from Lee's IoT talk
- OWASP IoT Top 10

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project


- Parker Thompson, Mudge, and Tim Carstens - Ground Truth: 18 vendors, 6000 firmware images, 2.7 million binaries, and a flaw in the Linux/MIPS stack

https://archive.org/download/ShmooCon_2019/ShmooCon2019-Ground%20Truth.mp4


## gist:2c793b8e013d7b6322492982b46b4516
make clean
./Configure no-ssl2 no-ssl3 no-tls1 no-tls1_1 no-zlib no-comp no-dtls no-dtls1 no-dtlsi1_2 no-psk no-srp no-srtp no-capieng no-cms no-asm no-weak-ssl-ciphers no-dso no-gost no-hw-padlock no-rfc3779 no-ts no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dsa enable-ec_nistp_64_gcc_128 no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd16@ no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool -02 -fno-strict-aliasing
	URLs:
	-----
	SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/
	Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/

	Contact:
	--------
	Twitter: @synackpse
	email: lee@squarelemon.com
	A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others.

	It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this.

	For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
	Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad
	certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up
	to date? This could be the answer.

	This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints
	contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of
	implications and pitfalls.

	TLS provides transport security to all manner of connections from legitimate financial transactions to private
	conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are
	Ever been busted because you attempted to man in the middle software (which does TLS properly) and it
	alerted someone to your bad certificate? No more! Want to detect certain types of connections leaving
	your network, but can’t keep the IP blacklist up to date? This could be the answer.

	This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what
	TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several
	scenarios, and a discussion of implications and pitfalls.

	TLS provides transport security to all manner of connections from legitimate financial transactions to
	private conversations and malware calling home. The inability to analyse encrypted traffic protects its
	1 - Capture the traffic with fingerprintls or read a pcap containing the traffic,
	assuming current version from git use '-j' to specify a location to save fingerprints
	and '-l' for log location:

	sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json

	or

	sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json
	Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection. However....

	The TLS Fingerprints do show us which libraries are probably used by the application

	{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" }
	{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" }
	{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": "
	alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;)
	alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;)
	alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
	alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
	alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)"; content: "\|16 03 01\|"; offset: 0; depth: 3; rawbytes; content: "\|01\|"; distance: 1; rawbytes; content: "\|03 03\|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "\|00 30\|"; distance: 0; rawbytes; content: "\|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF\|"; distance: 0; rawbytes; content: "\|01 00\|"; distance: 0; rawbytes; content: "\|00 00\|"; rawbytes; distance: 2;
	- OWASP IoT Top 10

	https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project


	- Parker Thompson, Mudge, and Tim Carstens - Ground Truth: 18 vendors, 6000 firmware images, 2.7 million binaries, and a flaw in the Linux/MIPS stack

	https://archive.org/download/ShmooCon_2019/ShmooCon2019-Ground%20Truth.mp4