app:tlsfingerprint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
app:tlsfingerprint [2017/11/17 23:58] – veera | app:tlsfingerprint [2017/11/29 23:03] – [Programatically resolving TLS Prints] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ~~Title: SJLJSADJA ~~ | ||
+ | |||
====== TLS Fingerprinter ====== | ====== TLS Fingerprinter ====== | ||
- | TLS Fingerprinting is a technique by which you can identify SSL/TLS clients. | + | TLS Fingerprinting is a technique by which you can identify SSL/TLS clients. |
- | that adds in this support | + | that adds this capability |
{{ : | {{ : | ||
Line 10: | Line 12: | ||
===== What is TLS Fingerprinting ===== | ===== What is TLS Fingerprinting ===== | ||
- | This fingerprinting | + | This technique builds upon the patterns found in the preferences that are advertised in the " |
- | + | ||
- | Each SSL/TLS Client | + | |
The 3 major fields in the Client Hello that can identify a client are | The 3 major fields in the Client Hello that can identify a client are | ||
Line 20: | Line 20: | ||
- **Elliptical Curves**: There are about 25 Elliptical Curve types registered by IANA. This number and preference will also vary by client. | - **Elliptical Curves**: There are about 25 Elliptical Curve types registered by IANA. This number and preference will also vary by client. | ||
- | So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system. | + | So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' |
- | + | ||
- | If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' | + | |
- | + | ||
- | At first, this may seem a bit flaky but right now it is not easy for an application to change its hash dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' | + | |
+ | At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' | ||
+ | < | ||
+ | Further reading | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | </ | ||
==== Fingerprints database ==== | ==== Fingerprints database ==== | ||
- | The fingerprints database we have at our [[https:// | + | The fingerprints database we have at our [[https:// |
< | < | ||
Line 38: | Line 41: | ||
</ | </ | ||
- | So if you captured on a live network the JA3 hash '' | ||
- | ===== Analysis of TLS Fingerprints | + | ==== Analysis of TLS Fingerprints ==== |
What are you going to do with these prints. There are a few options | What are you going to do with these prints. There are a few options | ||
- | * Malware prints | + | |
- | * Anomaly detection : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a " | + | |
In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | ||
- | |||
Lets look at what you can do with TrisulNSM and the new TLS Prints App. | Lets look at what you can do with TrisulNSM and the new TLS Prints App. | ||
- | ===== Using Trisul streaming analytics | + | ===== How the TrisulNSM App works |
+ | |||
+ | The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https:// | ||
- | Since we do not yet have many malware fingerprints, | + | The app generates |
- | - Metrics : The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. | + | - **Metrics** : The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. |
- | - Graph Analytics : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. | + | - **Graph Analytics** : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. |
- | - Alerts : Right now we dont have many Malware prints, but when we have them, the App can generate an alert. | + | - **Alerts** : Right now we dont have many Malware prints, but when do we have them, the App can generate an alert. |
Line 94: | Line 97: | ||
- | When you reveal adjacent vertices in Trisul EDGE you are shown all the Vertex Types. One of them is the User-Agent | + | When you reveal adjacent vertices in [[https:// |
+ | |||
+ | ===== Programatically resolving TLS Prints ===== | ||
+ | |||
+ | This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. We released a TRP Ruby script to [[app: | ||
+ | |||
+ | |||
+ | |||
+ | We invite you to try this app in your network and let us know how it works. It is free to run . | ||
app/tlsfingerprint.txt · Last modified: 2018/03/04 13:27 by veera