LeeBrotherston

format = """
$hostname\
$username\
$directory\
[ ](fg:#769ff0 bg:#394260)\
($git_branch$git_status$git_state)\
[ ](fg:#394260 bg:#888888)\
$docker_context\
$golang\
$custom\

LeeBrotherston

cat go.mod | grep -Fv '>>>>>>>' | grep -Fv '=======' | grep -Fv '<<<<<<<' > go.mod.tmp && mv go.mod.tmp go.mod && go mod tidy

LeeBrotherston

make clean
./Configure no-ssl2 no-ssl3 no-tls1 no-tls1_1 no-zlib no-comp no-dtls no-dtls1 no-dtlsi1_2 no-psk no-srp no-srtp no-capieng no-cms no-asm no-weak-ssl-ciphers no-dso no-gost no-hw-padlock no-rfc3779 no-ts no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dsa enable-ec_nistp_64_gcc_128 no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd16@ no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool -02 -fno-strict-aliasing

LeeBrotherston

- OWASP IoT Top 10

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project


- Parker Thompson, Mudge, and Tim Carstens - Ground Truth: 18 vendors, 6000 firmware images, 2.7 million binaries, and a flaw in the Linux/MIPS stack

https://archive.org/download/ShmooCon_2019/ShmooCon2019-Ground%20Truth.mp4

LeeBrotherston

Version control your .bashrc file with Github Gist

Install Gist on your machine

If you have ruby installed (how to install ruby):

sudo gem install gist

‌If you're using Bundler:

LeeBrotherston

alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)";  content: "|16 03 01|"; offset: 0; depth: 3; rawbytes;  content: "|01|"; distance: 1; rawbytes;  content: "|03 03|"; distance: 3; rawbytes;  byte_jump: 1,43,align;  content: "|00 30|"; distance: 0; rawbytes;  content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes;  content: "|01 00|"; distance: 0; rawbytes;  content: "|00 00|"; rawbytes; distance: 2;  

LeeBrotherston

Having analysed a sample PCAP of Pokemon Go traffic with FingerPrinTLS, you can see that it does not have a unique TLS fingerprint for detection.  However....

The TLS Fingerprints do show us which libraries are probably used by the application

{ "timestamp": "2016-07-12 07:15:31", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.183.13.245", "src_port": 45578, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "stats.unity3d.com" }
{ "timestamp": "2016-07-12 07:15:45", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.26", "src_port": 32962, "dst_port": 443, "tls_version": "TLSv1.2", "fingerprint_desc": "Android Webkit Thing", "server_name": "appload.ingest.crittercism.com" }
{ "timestamp": "2016-07-12 07:15:46", "event": "fingerprint_match", "ip_version": "ipv4", "ipv4_src": "10.8.0.1", "ipv4_dst": "54.241.32.16", "src_port": 47967, "dst_port": 443, "tls_version": "

LeeBrotherston

1 - Capture the traffic with fingerprintls *or* read a pcap containing the traffic, 
    assuming current version from git use '-j' to specify a location to save fingerprints
    and '-l' for log location:
    
    sudo ./fingerprintls -i en1 -j unknown_fingerprints.json -l log.json
    
    or
    
    sudo ./fingerprintls -p previous_capture.pcap -j unknown_fingerprints.json -l log.json
    

LeeBrotherston

Match TLS Client Hello packets with a BPF:

IPv4 + TCP:                          (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3))
IPv6 + TCP:                          (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3))
Teredo 
(IPv6 + TCP over IPv4 + UDP):        ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3)))
6in4 (IPv6 + TCP over IPv4):         (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3)

Complete: (tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and

LeeBrotherston

Ever been busted because you attempted to man in the middle software (which does TLS properly) and it 
alerted someone to your bad certificate? No more!  Want to detect certain types of connections leaving 
your network, but can’t keep the IP blacklist up to date? This could be the answer.

This talk includes an introduction to both TLS and man in the middle attacks, a walkthrough on what 
TLS fingerprints contain, how to create your own fingerprints, how we use the fingerprints in several 
scenarios, and a discussion of implications and pitfalls.

TLS provides transport security to all manner of connections from legitimate financial transactions to 
private conversations and malware calling home. The inability to analyse encrypted traffic protects its