Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Blue Team TLS Hugs
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Lee Brotherston
July 29, 2017
Technology
360
0
Share
Blue Team TLS Hugs
My talk given at the Crypto & Privacy Village at Defcon 25
Lee Brotherston
July 29, 2017
More Decks by Lee Brotherston
See All by Lee Brotherston
TLS Tools for Blue Teams
leebrotherston
0
160
Abusing TLS For Defensive Wins
leebrotherston
2
1.1k
TLS Fingerprinting SecTorCA Edition
leebrotherston
0
190
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
leebrotherston
0
240
The Cynical Trust Model
leebrotherston
0
62
Corporation In The Middle
leebrotherston
0
130
Corporation In The Middle - SecTor
leebrotherston
0
54
Incident Response for Cheapskates - BSidesTO 2013
leebrotherston
0
80
Other Decks in Technology
See All in Technology
Cortex Code君、今日から内製化支援担当ね。
coco_se
0
180
ブラックボックス化したMLシステムのVertex AI移行 / mlops_community_62
visional_engineering_and_design
1
260
タスク管理も1on1も、もう「管理」じゃない - KiroとBedrock AgentCoreで変わった“判断の仕事”
yusukeshimizu
0
160
Podcast配信で広がったアウトプットの輪~70人と音声発信してきた7年間~/outputconf_01
fortegp05
0
190
Tour of Agent Protocols: MCP, A2A, AG-UI, A2UI with ADK
meteatamel
0
190
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
5
1.3k
20260326_AIDD事例紹介_ULSC.pdf
findy_eventslides
0
390
Cursor Subagentsはいいぞ
yug1224
2
130
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
3
2.1k
Why we keep our community?
kawaguti
PRO
0
360
Zephyr(RTOS)でOpenPLCを実装してみた
iotengineer22
0
180
第26回FA設備技術勉強会 - Claude/Claude_codeでデータ分析 -
happysamurai294
0
350
Featured
See All Featured
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
2
190
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
27
3.4k
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
180
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
320
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.9k
A designer walks into a library…
pauljervisheath
211
24k
Design in an AI World
tapps
0
190
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
260
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
Transcript
Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs
SSL TLS does what now? Lee Brotherston - @synackpse -
#TLSHugs
Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust
Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs
Current State of the Art Lee Brotherston - @synackpse -
#TLSHugs
- Ignore TLS - Break TLS - Embrace TLS Lee
Brotherston - @synackpse - #TLSHugs
Ignore TLS Lee Brotherston - @synackpse - #TLSHugs
IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)
34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs
permit any > any port 443 Universal Firewall Bypass Port!
Lee Brotherston - @synackpse - #TLSHugs
ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -
@synackpse - #TLSHugs
So, what then? Lee Brotherston - @synackpse - #TLSHugs
EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs
Blacklists Lee Brotherston - @synackpse - #TLSHugs
Break TLS Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs
Break The CA Model …. even more Lee Brotherston -
@synackpse - #TLSHugs
Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs
Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs
Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs
Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs
“Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs
Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston
- @synackpse - #TLSHugs
Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs
Malicious Insider Lee Brotherston - @synackpse - #TLSHugs
Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs
Goals Lee Brotherston - @synackpse - #TLSHugs
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs
“Perfection is the enemy of good enough” Lee Brotherston -
@synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs
TLS Fingerprinting (I hear someone did a talk on that)
…. (it was me) Lee Brotherston - @synackpse - #TLSHugs
Spotting $bad Lee Brotherston - @synackpse - #TLSHugs
None
[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs
Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs
None
Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs
Vorführeffekt
OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Server Responses Lee Brotherston - @synackpse - #TLSHugs
Certificates Lee Brotherston - @synackpse - #TLSHugs
Do You Even IDS, Bro? Lee Brotherston - @synackpse -
#TLSHugs
Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs
TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response Nope Lee Brotherston - @synackpse - #TLSHugs
Proxy Server Client TLS Request Response Request Response TLS Version
Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs
Subtractive only Lee Brotherston - @synackpse - #TLSHugs
The Compliances Lee Brotherston - @synackpse - #TLSHugs
A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓
One more thing… Lee Brotherston - @synackpse - #TLSHugs
8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee
Brotherston - @synackpse - #TLSHugs
Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:
gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs
Conclusion Lee Brotherston - @synackpse - #TLSHugs
Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>
TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs
Any Questions? Lee Brotherston - @synackpse - #TLSHugs
SiteGround - Reliable hosting with speed, security, and support you can count on.
leebrotherston
coco_se
visional_engineering_and_design
yusukeshimizu
fortegp05
meteatamel
oracle4engineer
findy_eventslides
yug1224
kawaguti
iotengineer22
happysamurai294
retrage
eileencodes
jlugia
baasie
reverentgeek
pauljervisheath
tapps
aleyda
sugarenia
![Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs](https://files.speakerdeck.com/presentations/aa35560f56a348a0bf881c6676b9d9c7/slide_21.jpg){kind=link}
![[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs](https://files.speakerdeck.com/presentations/aa35560f56a348a0bf881c6676b9d9c7/slide_33.jpg){kind=link}
