
159 lines
4.6 KiB
Raw Normal View History

2019-03-26 15:50:43 +01:00
% Full instructions available at:
\definecolor{main}{RGB}{47, 161, 219}
%\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\definecolor{textcolor}{RGB}{85, 87, 83}
\title{D4 Project}
\subtitle{Revamping Passive SSL with D4}
\author{Jean-Louis Huynen}
\institute{Team CIRCL \\ \url{}}
\frametitle{A passive SSL fingerprinter}
CSIRT's rationale for collecting TLS handshakes:
\item Pivot on additional data points
\item Find owners of IP addresses
\item Detect usage of CIDR blocks
\item Detect vulnerable systems
\item Detect compromised services
History of links between:
\item x509 certificates (And therefore their fields)
\item Ports
\item IP address
\item Client (ja3)
\item Server (ja3s)
\frametitle{Problem statement}
\item CIRCL already offers a similar service based on SSLDump
\item SSLDump needs some love - maintaining it is hard
\item Alternatives do not span the entire TLS Handshake (Salesforce's ja3)
\item TCP reassembly is not an easy problem to solve (Cloudfare uses tshark)
Main features:
\item Take over SSLDump's duty
\item written in Golang
\item uses Go packet for tcp reassembly and spans whole handshake
\item ja3, ja3s, certificates, ip src / dst, port src / dst, TLSH
Current caveats:
\item Support for TLS 1.3 pending
\item Reassembly requires RAM
\item 1 desktop monitored during 15 days
\item 3327 TLS sessions fingerprinted
\item 600 unique certificates collected
\frametitle{sensor-d4-tls-fingerprinting - collectoin}
Options & Explanations\\
-r & read pcap file\\
-i & read from the interface \\
-w & dump certificates to folder\\
-j & write TLS session JSON descriptions to folder\\
-mbcp & max buffered pages per connection (16) \\
-mbpt & max total buffered pages (1024) \\
-d & debug \\
-v & verbose
Available on the D4 project's github page\footnote{\url{}}.
Depends on libpcap.
\frametitle{sensor-d4-tls-fingerprinting - d4 client}
D4 server requires a meta-header in order to accept this data:
\frametitle{sensor-d4-tls-fingerprinting - d4 worker}
\frametitle{Get in touch if you want to join the project, host a sensor or contribute}
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
\item Contact:
\item \url{} - \url{}