Differences

This shows you the differences between two versions of the page.

--- app:tlsfingerprint [2017/11/29 00:05] – [Graph Analytics] veera
+++ app:tlsfingerprint [2017/11/29 23:03] – [Programatically resolving TLS Prints] veera
@@ Line 1: / Line 1: @@
+~~Title: SJLJSADJA ~~
 ====== TLS Fingerprinter ======
@@ Line 10: / Line 12: @@
 ===== What is TLS Fingerprinting =====
-This technique builds upon the patterns found in the client preferences that are advertised in the "Client Hello" message that is sent as the very first message in the TLS Handshake process. This message is un-encrypted, therefore it allows for NSM tools like Trisul to look at it.  Each SSL/TLS Client such as browsers use a particular version of a particular implementation of SSL/TLS. Some major implementations are OpenSSL, GnuTLS, Windows, Java SSE, NSS, embedded libraries like WolfSSL etc.
+This technique builds upon the patterns found in the preferences that are advertised in the "Client Hello" message that is sent by the client as the very first message in the TLS Handshake process. This message is unencrypted, so it allows for NSM tools like Trisul to look at it.  Every SSL/TLS Client uses a particular version of a particular implementation of SSL/TLS library. Some major implementations are OpenSSL, GnuTLS, Windows, Java SSE, NSS, WolfSSL etc.
 The 3 major fields in the Client Hello that can identify a client are
@@ Line 20: / Line 22: @@
 So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a 'fingerprint'.  We can call this a //JA3 hash// as proposed by the researchers John Althouse and team.
-At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston's original work. We at Trisul also added in some 50 hashes.
+At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston's effort. We at Trisul also added in some 50-60 new prints.
-Links
+<note>
+Further reading
   * [[https://github.com/synackpse|Lee Brotherstons work]] on TLS Fingerprinting
+  * [[https://blog.squarelemon.com/tls-fingerprinting/|Square Lemon blog TLS Fingerprinting]]
   * [[https://github.com/salesforce/ja3|JA3 Hash]]
+</note>
 ==== Fingerprints database ====
@@ Line 39: / Line 43: @@
-===== Analysis of TLS Fingerprints =====
+==== Analysis of TLS Fingerprints ====
 What are you going to do with these prints. There are a few options
@@ Line 97: / Line 101: @@
 ===== Programatically resolving TLS Prints =====
-This App dumps all fingerprints along with the parameters used to compute them and the TCP Flow details in a log file.  In another article we will outline how we can programatically deduce the Client Fingerprint.
+This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. We released a TRP Ruby script to [[app:auto_fingerprint|programatically resolve TLS Prints using Web Server Access Logs]].