2019-03-26 15:50:43 +01:00
% Full instructions available at:
% https://github.com/elauksap/focus-beamertheme
\documentclass { beamer}
\usetheme [numbering=progressbar] { focus}
\usepackage { tikz}
\usetikzlibrary { positioning}
\usetikzlibrary { shapes,arrows}
\usepackage { transparent}
\usepackage { fancyvrb}
\usepackage { listings}
2019-03-29 09:49:26 +01:00
\usepackage { csquotes}
2019-03-26 15:50:43 +01:00
\definecolor { main} { RGB} { 47, 161, 219}
%\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor { background} { RGB} { 240, 247, 255}
\definecolor { textcolor} { RGB} { 85, 87, 83}
\title { D4 Project}
\subtitle { Revamping Passive SSL with D4}
\author { Jean-Louis Huynen}
\titlegraphic { \includegraphics [width=140pt] { d4-logo.pdf} }
\institute { Team CIRCL \\ \url { https://www.d4-project.org/} }
\date { 20190329}
\lstset { %
language=bash,
backgroundcolor=\color { gray!25} ,
basicstyle=\ttfamily ,
breaklines=true,
columns=fullflexible
}
\begin { document}
\begin { frame}
\maketitle
\end { frame}
\begin { frame}
\frametitle { A passive SSL fingerprinter}
CSIRT's rationale for collecting TLS handshakes:
\begin { itemize}
2019-03-29 09:49:26 +01:00
\item pivot on additional data points,
\item find owners of IP addresses,
\item detect usage of CIDR blocks,
\item detect vulnerable systems,
\item detect compromised services,
\item detect Key material reuse.
2019-03-26 15:50:43 +01:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Objectives}
History of links between:
\begin { itemize}
2019-03-29 09:49:26 +01:00
\item x509 certificates (And therefore their fields),
\item ports,
\item IP address,
\item client (ja3),
\item server (ja3s),
2019-03-26 15:50:43 +01:00
\end { itemize}
2019-03-29 09:49:26 +01:00
\begin { displayquote}
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote { https://github.com/salesforce/ja3}
\end { displayquote}
2019-03-26 15:50:43 +01:00
\end { frame}
\begin { frame}
\frametitle { Problem statement}
\begin { itemize}
2019-03-29 09:49:26 +01:00
\item CIRCL already offers a similar service based on SSLDump\footnote { https://www.circl.lu/services/passive-ssl/} ,
\item SSLDump needs some love - maintaining it is hard,
\item SSLDump needs some love - extending it even harder,
\item nlternatives do not span the entire TLS Handshake (Salesforce's
ja3\footnote { https://github.com/salesforce/ja3} ),
\item TCP reassembly is not an easy problem to solve (Cloudfare's uses tshark\footnote { https://github.com/cloudflare/mitmengine} ),
2019-03-26 15:50:43 +01:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { sensor-d4-tls-fingerprinting}
Main features:
\begin { itemize}
2019-03-29 09:49:26 +01:00
\item take over SSLDump's duty,
2019-03-26 15:50:43 +01:00
\item written in Golang
2019-03-29 09:49:26 +01:00
\item uses Go packet for tcp reassembly and spans whole TLS handshake
2019-03-26 15:50:43 +01:00
\item ja3, ja3s, certificates, ip src / dst, port src / dst, TLSH
\end { itemize}
Current caveats:
\begin { itemize}
\item Support for TLS 1.3 pending
2019-03-29 09:49:26 +01:00
\item Reassembly consumes a lot of RAM
2019-03-26 15:50:43 +01:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { sensor-d4-tls-fingerprinting}
\begin { columns}
\begin { column} { 0.5\textwidth }
\begin { center}
\includegraphics [scale=0.2] { ../../informal-preso/0-intro-banana/monitor.png}
\end { center}
\end { column}
\begin { column} { 0.5\textwidth }
\begin { center}
\includegraphics [scale=0.2] { ../../informal-preso/0-intro-banana/orangepi.png}
\end { center}
\end { column}
\end { columns}
\hspace { 20pt}
\begin { itemize}
\item 1 desktop monitored during 15 days
\item 3327 TLS sessions fingerprinted
\item 600 unique certificates collected
\end { itemize}
\end { frame}
\begin { frame}
2019-03-29 09:49:26 +01:00
\frametitle { sensor-d4-tls-fingerprinting - collection}
2019-03-26 15:50:43 +01:00
\input { d4-tlsf.tex}
\begin { tabular} { l|l}
Options & Explanations\\
\hline
-r & read pcap file\\
-i & read from the interface \\
-w & dump certificates to folder\\
-j & write TLS session JSON descriptions to folder\\
-mbcp & max buffered pages per connection (16) \\
-mbpt & max total buffered pages (1024) \\
-d & debug \\
-v & verbose
\end { tabular}
\vspace { .8cm}
Available on the D4 project's github page\footnote { \url { github.com/D4-project/sensor-d4-tls-fingerprinting} } .
Depends on libpcap.
\end { frame}
2019-03-29 09:49:26 +01:00
\begin { frame} [fragile]
2019-03-29 10:14:08 +01:00
\frametitle { sensor-d4-tls-fingerprinting | d4 client}
2019-03-29 09:49:26 +01:00
Required setting:
\begin { itemize}
\item type should be set to 2 or 254
\item metaheader.json should state type: ja3-jl
\end { itemize}
2019-03-26 15:50:43 +01:00
\input { metaheader.json}
2019-03-29 09:49:26 +01:00
\vspace { .5cm}
\input { pipe.tex}
In the present setting the sensor will:
\begin { itemize}
\item describe every TLS Sessions,
\item marshal this description in JSON format
2019-03-29 10:52:58 +01:00
\item ship this description to the D4 server
2019-03-29 09:49:26 +01:00
\end { itemize}
2019-03-26 15:50:43 +01:00
\end { frame}
2019-03-29 10:07:52 +01:00
\begin { frame}
\frametitle { sensor-d4-tls-fingerprinting - ja3-jl plugin}
\begin { center}
\includegraphics [scale=0.4] { d4-worker2-ja3-jl.pdf}
\end { center}
\end { frame}
2019-03-29 09:49:26 +01:00
\begin { frame} [fragile]
2019-03-29 10:14:08 +01:00
\frametitle { sensor-d4-tls-fingerprinting - ja3-jl worker}
2019-03-26 15:50:43 +01:00
\input { worker.tex}
2019-03-29 09:49:26 +01:00
\begin { itemize}
\item processes each reassembled JSON description,
\item extracts x509 certificates and write to disk,
\item writes JSON description to disk,
\item push the files paths to the analyzer.
\end { itemize}
\end { frame}
\begin { frame} [fragile]
2019-03-29 10:14:08 +01:00
\frametitle { sensor-d4-tls-fingerprinting - ja3-jl analyzer}
2019-03-29 10:24:30 +01:00
(Work in Progress) \\
2019-03-29 10:14:08 +01:00
\vspace { .8cm}
Populates a database:
2019-03-29 09:49:26 +01:00
\begin { itemize}
\item LPOP a redis list populated by the worker
2019-03-29 10:14:08 +01:00
\item push JSON descriptions into a postgres database
2019-03-29 09:49:26 +01:00
\end { itemize}
\end { frame}
\begin { frame} [fragile]
2019-03-29 10:14:08 +01:00
\frametitle { sensor-d4-tls-fingerprinting - passivessl API}
2019-03-29 10:24:30 +01:00
(Work in Progress) \\
2019-03-29 10:14:08 +01:00
\vspace { .8cm}
2019-03-29 09:49:26 +01:00
Exposes a REST API to query the collected data:
\begin { itemize}
2019-03-29 10:14:08 +01:00
\item /index : returns the full DB (PoC),
\item /ja3/ : returns all TLS sessions with a given JA3 Signature,
\item /ja3s/ : returns all TLS sessions with a given JA3S Signature,
2019-03-29 09:49:26 +01:00
\end { itemize}
2019-03-26 15:50:43 +01:00
\end { frame}
\begin { frame}
\frametitle { Get in touch if you want to join the project, host a sensor or contribute}
\begin { itemize}
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
\item Contact: info@circl.lu
\item \url { https://github.com/D4-Project} - \url { https://twitter.com/d4_ project}
\end { itemize}
\end { frame}
\end { document}
