app:tlsfingerprint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
app:tlsfingerprint [2017/11/28 23:46] – [TLS Fingerprinter] veera | app:tlsfingerprint [2018/03/04 13:27] (current) – veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ~~Title: TLS Fingerprinting using Trisul ~~ | ||
+ | |||
====== TLS Fingerprinter ====== | ====== TLS Fingerprinter ====== | ||
Line 10: | Line 12: | ||
===== What is TLS Fingerprinting ===== | ===== What is TLS Fingerprinting ===== | ||
- | This fingerprinting | + | This technique builds upon the patterns found in the preferences that are advertised in the " |
- | + | ||
- | Each SSL/TLS Client | + | |
The 3 major fields in the Client Hello that can identify a client are | The 3 major fields in the Client Hello that can identify a client are | ||
Line 20: | Line 20: | ||
- **Elliptical Curves**: There are about 25 Elliptical Curve types registered by IANA. This number and preference will also vary by client. | - **Elliptical Curves**: There are about 25 Elliptical Curve types registered by IANA. This number and preference will also vary by client. | ||
- | So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system. | + | So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' |
- | + | ||
- | If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' | + | |
- | + | ||
- | At first, this may seem a bit flaky but right now it is not easy for an application to change its hash dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' | + | |
+ | At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' | ||
+ | < | ||
+ | Further reading | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | </ | ||
==== Fingerprints database ==== | ==== Fingerprints database ==== | ||
- | The fingerprints database we have at our [[https:// | + | The fingerprints database we have at our [[https:// |
< | < | ||
Line 38: | Line 41: | ||
</ | </ | ||
- | So if you captured on a live network the JA3 hash '' | ||
- | ===== Analysis of TLS Fingerprints | + | ==== Analysis of TLS Fingerprints ==== |
- | What are you going to do with these prints. There are a few options | + | There are two actionable things |
+ | |||
+ | * **Malware prints** | ||
+ | * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a " | ||
- | * Malware prints | ||
- | * Anomaly detection : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a " | ||
- | In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | + | ===== How the TrisulNSM App works ===== |
+ | The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https:// | ||
- | Lets look at what you can do with TrisulNSM and the new TLS Prints App. | + | The app generates |
- | + | | |
- | ===== Using Trisul streaming analytics ===== | + | - **Graph Analytics** : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. |
- | + | - **Alerts** : Right now we dont have many Malware prints, but when do we have them, the App can generate an alert. | |
- | Since we do not yet have many malware fingerprints, | + | |
- | + | ||
- | | + | |
- | - Graph Analytics : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. | + | |
- | - Alerts : Right now we dont have many Malware prints, but when we have them, the App can generate an alert. | + | |
Line 96: | Line 95: | ||
When you reveal adjacent vertices in [[https:// | When you reveal adjacent vertices in [[https:// | ||
- | ==== Programatically resolving TLS Prints ==== | + | ===== Programatically resolving TLS Prints |
- | The TrisulNSM TLS-Print | + | This App dumps all fingerprints |
- | If you can access | + | We invite |
- | + | ||
- | + | ||
- | + | ||
app/tlsfingerprint.1511893000.txt.gz · Last modified: 2017/11/28 23:46 by veera