If you have ruby installed (how to install ruby):
sudo gem install gist
If you're using Bundler:
format = """ | |
$hostname\ | |
$username\ | |
$directory\ | |
[ ](fg:#769ff0 bg:#394260)\ | |
($git_branch$git_status$git_state)\ | |
[ ](fg:#394260 bg:#888888)\ | |
$docker_context\ | |
$golang\ | |
$custom\ |
cat go.mod | grep -Fv '>>>>>>>' | grep -Fv '=======' | grep -Fv '<<<<<<<' > go.mod.tmp && mv go.mod.tmp go.mod && go mod tidy |
make clean | |
./Configure no-ssl2 no-ssl3 no-tls1 no-tls1_1 no-zlib no-comp no-dtls no-dtls1 no-dtlsi1_2 no-psk no-srp no-srtp no-capieng no-cms no-asm no-weak-ssl-ciphers no-dso no-gost no-hw-padlock no-rfc3779 no-ts no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dsa enable-ec_nistp_64_gcc_128 no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd16@ no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool -02 -fno-strict-aliasing |
- OWASP IoT Top 10 | |
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project | |
- Parker Thompson, Mudge, and Tim Carstens - Ground Truth: 18 vendors, 6000 firmware images, 2.7 million binaries, and a flaw in the Linux/MIPS stack | |
https://archive.org/download/ShmooCon_2019/ShmooCon2019-Ground%20Truth.mp4 | |
If you have ruby installed (how to install ruby):
sudo gem install gist
If you're using Bundler:
alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;) | |
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 03|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 30|"; distance: 0; rawbytes; content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; |
Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection. However.... | |
The TLS Fingerprints do show us which libraries are probably used by the application | |
{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" } | |
{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" } | |
{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": " |
1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic, | |
assuming current version from git use '-j' to specify a location to save fingerprints | |
and '-l' for log location: | |
sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json | |
or | |
sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json | |
Match TLS Client Hello packets with a BPF: | |
IPv4 + TCP: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) | |
IPv6 + TCP: (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) | |
Teredo | |
(IPv6 + TCP over IPv4 + UDP): ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) | |
6in4 (IPv6 + TCP over IPv4): (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3) | |
Complete: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and |
Ever been busted because you attempted to man in the middle software (which does TLS properly) and it | |
alerted someone to your bad certificate? No more! Want to detect certain types of connections leaving | |
your network, but can’t keep the IP blacklist up to date? This could be the answer. | |
This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what | |
TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several | |
scenarios, and a discussion of implications and pitfalls. | |
TLS provides transport security to all manner of connections from legitimate financial transactions to | |
private conversations and malware calling home. The inability to analyse encrypted traffic protects its |