Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stealthier Attacks and Smarter Defending with T...

Stealthier Attacks and Smarter Defending with TLS Fingerprinting

Lee Brotherston

September 24, 2015
Tweet

More Decks by Lee Brotherston

Other Decks in Technology

Transcript

  1. Client Hello Server Client Server Hello Client Key Exchange Change

    Cipher Spec Change Cipher Spec Encrypted Data
  2. SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL,

    MD5 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = TLSv1 ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
  3. Content Type Version Length Handshake Type Length Version Random Session

    ID Length Session ID Cipher Suites Length Cipher Suites Compression Methods Length Compression Methods Extensions
  4. Content Type Version Length Handshake Type Length Version Random Session

    ID Length Session ID Cipher Suites Length Cipher Suites Compression Methods Length Compression Methods Extensions
  5. { "id": 0, "desc": "Dropbox (Win 8.1)”, "record_tls_version": “0x0301", "tls_version":

    “0x0301", "ciphersuite_length": “0x0010", "ciphersuite": "0xC014 0xC013 0xC011 0x0039 0x0033 0x0035 0x002F 0x00FF", "compression_length": “1", "compression": “0x00", "extensions": "0x0000 0x0023”, "server_name": “client-lb.dropbox.com" }
  6. Client to Server Server to Client False Positive Unfiltered 9547378

    3776313 99.226% Handshake & Client Hello Filter 51766 59 2.859% 1st Byte TLS Version 51677 3 0.005% 1st Byte TLS Version (Record) 51677 0 0.000%
  7. SRC DEST 192.168.1.37:3847 66.185.84.30:443 192.168.1.37:44870 74.125.226.150:443 192.168.1.49:36469 38.229.70.22:6667 192.168.1.122:51593 54.204.30.235:22

    10.54.107.19:64926 194.54.103.65:22 10.54.103.99:3010 54.204.30.201:443 10.54.103.76:3013 64.136.25.171:80 10.54.103.66:3847 192.168.10.64:25 10.54.103.33:3009 54.204.30.11:443 10.54.103.99:3010 192.168.10.10:443
  8. $ sudo tcpdump -Xni eth0 host desktop 16:29:39.149010 IP 10.54.103.76.3010

    > 54.204.30.201.443: Flags [P.], seq 826:991, ack 990, win 64, options [nop,nop,TS val 1123747053 ecr 530699601], length 165 0x0000: 4500 00d9 62a9 4000 3306 586b 36af 939e [email protected]... 0x0010: c0a8 0115 01bb c04d 49e3 2eec fb96 5e29 .......MI.....^) 0x0020: 8018 0040 ff69 0000 0101 080a 42fb 04ed [email protected]... 0x0030: 1fa1 d551 1703 0300 a008 7a4c d2cf 56e3 ...Q......zL..V. 0x0040: b83a b448 3e23 accd 3495 a547 202a e88a .:.H>#..4..G.*.. 0x0050: f05d 9f25 121a 9e1e 4944 4431 f493 0b4d .].%....IDD1...M 0x0060: e5fc c83c a77c 0cf6 6adb 96d6 7b05 481d ...<.|..j...{.H. 0x0070: 84d8 9049 952d d524 6643 00aa ccc7 48d1 ...I.-.$fC....H. 0x0080: 31d4 d033 d523 39e7 dbcd 5b8f 2204 da9d 1..3.#9...[."... 0x0090: 66fb ee3d b9c3 2bb2 5649 bdac 240d 4942 f..=..+.VI..$.IB 0x00a0: f588 e44a 44da 64cd f35c a73b 1bdf d9ac ...JD.d..\.;.... 0x00b0: 1bad dfc1 4c75 253d dcf0 42f9 452b 1fea ....Lu%=..B.E+.. 0x00c0: d5d9 384b 9d63 804e ccfb 2f08 8404 035d ..8K.c.N../....] 0x00d0: 269b 0a99 7801 970c 9a &...x....
  9. SRC DEST 192.168.1.37:3847 66.185.84.30:443 192.168.1.37:44870 74.125.226.150:443 192.168.1.49:36469 38.229.70.22:6667 192.168.1.122:51593 54.204.30.235:22

    10.54.107.19:64926 194.54.103.65:22 10.54.103.99:3010 54.204.30.201:443 10.54.103.76:3013 64.136.25.171:80 10.54.103.66:3847 192.168.10.64:25 10.54.103.33:3009 54.204.30.11:443 10.54.103.99:3010 192.168.10.10:443
  10. SRC DEST 192.168.1.37:3847 www.google.com:443 192.168.1.37:44870 Unknown:443 192.168.1.49:36469 FreeNode IRC:6667 192.168.1.122:51593

    AWS Something:22 10.54.107.19:64926 Unknown:22 10.54.103.99:3010 AWS Something:443 10.54.103.76:3013 Unknown:80 10.54.103.66:3847 Internal SMTP:25 10.54.103.33:3009 AWS Something:443 10.54.103.99:3010 Sharepoint:443
  11. SRC DEST 192.168.1.37:3847 www.google.com:443 192.168.1.37:44870 Unknown:443 192.168.1.49:36469 FreeNode IRC:6667 192.168.1.122:51593

    AWS Something:22 10.54.107.19:64926 Unknown:22 10.54.103.99:3010 AWS Something:443 10.54.103.76:3013 Unknown:80 10.54.103.66:3847 Internal SMTP:25 10.54.103.33:3009 AWS Something:443 10.54.103.99:3010 Sharepoint:443 mitmproxy Tor
  12. ARP Cache Poisoning DNS Spoofing BGP Hijacking Hacked Proxy Malicious

    Tor Node Local Agent Malicious Provider Rogue DHCP
  13. FingerprinTLS $ sudo ./ssl_fingerprint/fingerprintls/fingerprintls -i en0 -s Password: Using interface:

    en0 Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56274 to 104.244.43.39:443 Servername: "pbs.twimg.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56281 to 167.114.152.100:443 Servername: "www.i6l66pzauglk2kqx2b.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56280 to 37.221.162.226:9001 Servername: “www.jy27vswlheykb2dptady.com" Fingerprint Matched: "mutt (tested: 1.5.23 - OS X)" TLSv1.2 connection from 192.168.1.5:56316 to 74.125.69.108:993 Servername: "Not Set” Fingerprint Matched: "ThunderBird (v38.0.1 OS X)" TLSv1.2 connection from 192.168.1.5:56394 to 74.125.69.108:993 Servername: “imap.gmail.com” Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56233 to 104.244.43.199:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56236 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56242 to 184.25.66.217:443 Servername: "itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56243 to 23.195.218.30:443 Servername: "su.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56246 to 23.21.97.18:443 Servername: "vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56247 to 184.25.66.217:443 Servername: "init.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56248 to 104.244.43.229:443 Servername: "v.cdn.vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56250 to 17.173.66.136:443 Servername: "xp.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56253 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56259 to 23.195.218.30:443 Servername: "se.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56267 to 104.244.43.167:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12 or 600.1.4" TLSv1.2 connection from 192.168.1.5:56273 to 104.244.43.7:443 Servername: "pbs.twimg.com"
  14. alert tcp any any -> any any ( msg:"ruby script

    (tested: 2.0.0p481)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "| 01|"; distance: 1; rawbytes; content: "|03 01|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 24|"; distance: 0; rawbytes; content: "|00 39 00 38 00 35 00 33 00 32 00 2F 00 16 00 13 00 0A 00 9A 00 99 00 96 00 05 00 04 00 15 00 12 00 09 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; byte_jump: 2,0,relative; content: "|00 23|"; rawbytes; distance: 0; sid:1000169; rev:1;) Fingerprintout
  15. $ ./parse_fingerprint.py ../json/combined.json xkeyscore # Rule for "Mozilla/4.0 (compatible; MSIE

    6.0 or MSIE 7.0)" “\x16\x03\x01.*\x01.*\x03\x01.* \x00\x16\x00\x04\x00\x05\x00\x0\x00\x09\x00\x64\x00\x62\x00 \x03\x00\x06\x00\x13\x00\x12\x00\x63.*\x00" Fingerprintout
  16. $ ./parse_fingerprint.py ./combined.json cleanse | grep '#' # Oh no,

    2 signatures match: Java (tested: v8 Update 60) - Archive.org bot # Oh no, 2 signatures match: Archive.org bot - Java (tested: v8 Update 60) Fingerprintout
  17. {"id": 0, "desc": "MS Word / MS WebDav", "record_tls_version": "

    0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x0014 ", "ciphersuite": "0xC014 0xC013 0xC00A 0xC009 0x0035 0x002F 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0xFF01", "e_curves": " 0x0019 0x0017 0x0018 ", "sig_alg": " ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Internet Explorer 11.0.9600.17959", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0030 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x003D 0x003C 0x0035 0x002F 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x0005 0x000A 0x000B 0x000D 0xFF01", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0601 0x0603 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Pidgin (tested 2.10.11)", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0022 ", "ciphersuite": "0xC02B 0xC02F 0xC00A 0xC009 0xC013 0xC027 0xC014 0xC007 0xC011 0x009E 0x0033 0x0032 0x0067 0x0039 0x006B 0x002F 0x0035", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0xFF01 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0402 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows Java Plugin (tested: v8 Update 60)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows 8.x Apps Store thing (unconfirmed)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0034 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013 0x0005 0x0004", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0x000D 0x0023 0xFF01", "e_curves": " 0x0017 0x0018 ", "sig_alg": " 0x0401 0x0501 0x0601 0x0201 0x0403 0x0503 0x0603 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x00AE ", "ciphersuite": "0xC030 0xC02C 0xC028 0xC024 0xC014 0xC00A 0x00A3 0x009F 0x006B 0x006A 0x0039 0x0038 0x0088 0x0087 0xC019 0x00A7 0x006D 0x003A 0x0089 0xC032 0xC02E 0xC02A 0xC026 0xC00F 0xC005 0x009D 0x003D 0x0035 0x0084 0xC012 0xC008 0x0016 0x0013 0xC017 0x001B 0xC00D 0xC003 0x000A 0xC02F 0xC02B 0xC027 0xC023 0xC013 0xC009 0x00A2 0x009E 0x0067 0x0040 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC018 0x00A6 0x006C 0x0034 0x009B 0x0046 0xC031 0xC02D 0xC029 0xC025 0xC00E 0xC004 0x009C 0x003C 0x002F 0x0096 0x0041 0xC011 0xC007 0xC016 0x0018 0xC00C 0xC002 0x0005 0x0004 0x0014 0x0011 0x0019 0x0008 0x0006 0x0017 0x0003 0x00FF", "compression_length": "2 ", "compression": "0x01 0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 0x000D 0x000F", "e_curves": " 0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": " 0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 0x0101 ", "ec_point_fmt": " 0x00 0x01 0x02 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0064 ", "ciphersuite": "0xC024 0xC028 0x003D 0xC026 0xC02A 0x006B 0x006A 0xC00A 0xC014 0x0035 0xC005 0xC00F 0x0039 0x0038 0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02C 0xC02B 0xC030 0x009D 0xC02E 0xC032 0x009F 0x00A3 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Archive.org bot", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "OpenSSL s-client with -tls1 flag", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x002E ", "ciphersuite": "0x0039 0x0038 0x0035 0x0016 0x0013 0x000A 0x0033 0x0032 0x002F 0x009A 0x0099 0x0096 0x0005 0x0004 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0023", "e_curves": " ", "sig_alg": " ", "ec_point_fmt": " ", "server": "" } {"id": 0, "desc": "GNUTLS Commandline", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0084 ", "ciphersuite": "0xC02B 0xC02C 0xC086 0xC087 0xC009 0xC023 0xC00A 0xC024 0xC072 0xC073 0xC008 0xC007 0xC02F 0xC030 0xC08A 0xC08B 0xC013 0xC027 0xC014 0xC028 0xC076 0xC077 0xC012 0xC011 0x009C 0x009D 0xC07A 0xC07B 0x002F 0x003C 0x0035 0x003D 0x0041 0x00BA 0x0084 0x00C0 0x000A 0x0005 0x0004 0x009E 0x009F 0xC07C 0xC07D 0x0033 0x0067 0x0039 0x006B 0x0045 0x00BE 0x0088 0x00C4 0x0016 0x00A2 0x00A3 0xC080 0xC081 0x0032 0x0040 0x0038 0x006A 0x0044 0x00BD 0x0087 0x00C3 0x0013 0x0066", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0005 0x0000 0xFF01 0x0023 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 0x0015 0x0013 ", "sig_alg": " 0x0401 0x0402 0x0403 0x0501 0x0503 0x0601 0x0603 0x0301 0x0302 0x0303 0x0201 FingerPrint DB