Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Blue Team TLS Hugs
Search
Lee Brotherston
July 29, 2017
Technology
0
340
Blue Team TLS Hugs
My talk given at the Crypto & Privacy Village at Defcon 25
Lee Brotherston
July 29, 2017
Tweet
Share
More Decks by Lee Brotherston
See All by Lee Brotherston
TLS Tools for Blue Teams
leebrotherston
0
140
Abusing TLS For Defensive Wins
leebrotherston
2
1.1k
TLS Fingerprinting SecTorCA Edition
leebrotherston
0
170
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
leebrotherston
0
200
The Cynical Trust Model
leebrotherston
0
52
Corporation In The Middle
leebrotherston
0
120
Corporation In The Middle - SecTor
leebrotherston
0
37
Incident Response for Cheapskates - BSidesTO 2013
leebrotherston
0
60
Other Decks in Technology
See All in Technology
技術的負債解消の取り組みと専門チームのお話
bengo4com
0
340
Creative UIs with Compose: DroidKaigi 2024
chrishorner
1
590
サーバー管理しないサーバーサービスManaged DevOps Pool
kkamegawa
0
130
Cloud Run と GitHub Template Repository による軽量なアプリケーションプラットフォーム/ #nikkei_tech_talk
nikkei_engineer_recruiting
0
110
サーバレスでモバイルアプリ開発! NTTコム「ビジネスdアプリ」のアーキテクチャ / The architecture of business d app
nttcom
12
240
株式会社EventHub・エンジニア採用資料
eventhub
0
3k
Functional TypeScript
naoya
11
4.8k
内製化を目指す事業会社が、システム開発会社と共に進める「開発生産性改善」の取り組み事例 #devsumi
yuwji
1
110
『GRANBLUE FANTASY Relink』キャラクターの魅力を支えるリグ・シミュレーション制作事例
cygames
0
120
開発者の定量・定性データを組み合わせて開発者体験を把握するための取り組み
ham0215
1
140
事前準備が肝!AI活用のための業務改革
layerx
PRO
1
390
DevRelの始め方
moongift
PRO
1
390
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
359
19k
Building an army of robots
kneath
302
42k
A Philosophy of Restraint
colly
202
16k
Designing with Data
zakiwarfel
98
5k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.6k
A designer walks into a library…
pauljervisheath
201
24k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
227
52k
How STYLIGHT went responsive
nonsquared
93
5.1k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Web Components: a chance to create the future
zenorocha
309
42k
Intergalactic Javascript Robots from Outer Space
tanoku
268
26k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
5
480
Transcript
Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs
SSL TLS does what now? Lee Brotherston - @synackpse -
#TLSHugs
Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust
Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs
Current State of the Art Lee Brotherston - @synackpse -
#TLSHugs
- Ignore TLS - Break TLS - Embrace TLS Lee
Brotherston - @synackpse - #TLSHugs
Ignore TLS Lee Brotherston - @synackpse - #TLSHugs
IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)
34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs
permit any > any port 443 Universal Firewall Bypass Port!
Lee Brotherston - @synackpse - #TLSHugs
ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -
@synackpse - #TLSHugs
So, what then? Lee Brotherston - @synackpse - #TLSHugs
EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs
Blacklists Lee Brotherston - @synackpse - #TLSHugs
Break TLS Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs
Break The CA Model …. even more Lee Brotherston -
@synackpse - #TLSHugs
Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs
Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs
Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs
Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs
“Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs
Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston
- @synackpse - #TLSHugs
Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs
Malicious Insider Lee Brotherston - @synackpse - #TLSHugs
Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs
Goals Lee Brotherston - @synackpse - #TLSHugs
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs
“Perfection is the enemy of good enough” Lee Brotherston -
@synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs
TLS Fingerprinting (I hear someone did a talk on that)
…. (it was me) Lee Brotherston - @synackpse - #TLSHugs
Spotting $bad Lee Brotherston - @synackpse - #TLSHugs
None
[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs
Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs
None
Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs
Vorführeffekt
OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Server Responses Lee Brotherston - @synackpse - #TLSHugs
Certificates Lee Brotherston - @synackpse - #TLSHugs
Do You Even IDS, Bro? Lee Brotherston - @synackpse -
#TLSHugs
Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs
TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response Nope Lee Brotherston - @synackpse - #TLSHugs
Proxy Server Client TLS Request Response Request Response TLS Version
Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs
Subtractive only Lee Brotherston - @synackpse - #TLSHugs
The Compliances Lee Brotherston - @synackpse - #TLSHugs
A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓
One more thing… Lee Brotherston - @synackpse - #TLSHugs
8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee
Brotherston - @synackpse - #TLSHugs
Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:
gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs
Conclusion Lee Brotherston - @synackpse - #TLSHugs
Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>
TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs
Any Questions? Lee Brotherston - @synackpse - #TLSHugs