I hereby claim:
- I am leebrotherston on github.
- I am lee (https://keybase.io/lee) on keybase.
- I have a public key whose fingerprint is C110 4776 8997 2E64 A7B5 793E D04D 4922 FBAE 8F3B
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
URLs: | |
----- | |
SlideShare (SecTor & BSidesTO & TASK versions): http://www.slideshare.net/LeeBrotherston/ | |
Recording of talk (SecTor): http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ | |
Contact: | |
-------- | |
Twitter: @synackpse | |
email: lee@squarelemon.com |
A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others. | |
It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this. | |
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
Ever been busted because you man in the middled software (which does TLS properly) and it alerted someone to your bad | |
certificate? No more! Want to detect certain types of connections leaving your network, but can’t keep the IP blacklist up | |
to date? This could be the answer. | |
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what TLS fingerprints | |
contain, how to create your own fingerprints, how we use the fingerprints in several scenarios, a demo, and a discussion of | |
implications and pitfalls. | |
TLS provides transport security to all manner of connections from legitimate financial transactions to private | |
conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are |
Ever been busted because you attempted to man in the middle software (which does TLS properly) and it | |
alerted someone to your bad certificate? No more! Want to detect certain types of connections leaving | |
your network, but can’t keep the IP blacklist up to date? This could be the answer. | |
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what | |
TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several | |
scenarios, and a discussion of implications and pitfalls. | |
TLS provides transport security to all manner of connections from legitimate financial transactions to | |
private conversations and malware calling home. The inability to analyse encrypted traffic protects its |
1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic, | |
assuming current version from git use '-j' to specify a location to save fingerprints | |
and '-l' for log location: | |
sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json | |
or | |
sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json | |
Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection. However.... | |
The TLS Fingerprints do show us which libraries are probably used by the application | |
{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" } | |
{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" } | |
{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": " |
alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 03|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 30|"; distance: 0; rawbytes; content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; |
- OWASP IoT Top 10 | |
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project | |
- Parker Thompson, Mudge, and Tim Carstens - Ground Truth: 18 vendors, 6000 firmware images, 2.7 million binaries, and a flaw in the Linux/MIPS stack | |
https://archive.org/download/ShmooCon_2019/ShmooCon2019-Ground%20Truth.mp4 | |
make clean | |
./Configure no-ssl2 no-ssl3 no-tls1 no-tls1_1 no-zlib no-comp no-dtls no-dtls1 no-dtlsi1_2 no-psk no-srp no-srtp no-capieng no-cms no-asm no-weak-ssl-ciphers no-dso no-gost no-hw-padlock no-rfc3779 no-ts no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dsa enable-ec_nistp_64_gcc_128 no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd16@ no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool -02 -fno-strict-aliasing |