update passive-ssl slidedeck
parent
7a63b981fd
commit
fbe33c637a
|
@ -9,6 +9,7 @@
|
||||||
\usepackage{transparent}
|
\usepackage{transparent}
|
||||||
\usepackage{fancyvrb}
|
\usepackage{fancyvrb}
|
||||||
\usepackage{listings}
|
\usepackage{listings}
|
||||||
|
\usepackage{csquotes}
|
||||||
\definecolor{main}{RGB}{47, 161, 219}
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
%\definecolor{textcolor}{RGB}{128, 128, 128}
|
%\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
\definecolor{background}{RGB}{240, 247, 255}
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
@ -36,11 +37,12 @@
|
||||||
\frametitle{A passive SSL fingerprinter}
|
\frametitle{A passive SSL fingerprinter}
|
||||||
CSIRT's rationale for collecting TLS handshakes:
|
CSIRT's rationale for collecting TLS handshakes:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Pivot on additional data points
|
\item pivot on additional data points,
|
||||||
\item Find owners of IP addresses
|
\item find owners of IP addresses,
|
||||||
\item Detect usage of CIDR blocks
|
\item detect usage of CIDR blocks,
|
||||||
\item Detect vulnerable systems
|
\item detect vulnerable systems,
|
||||||
\item Detect compromised services
|
\item detect compromised services,
|
||||||
|
\item detect Key material reuse.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -49,21 +51,26 @@
|
||||||
|
|
||||||
History of links between:
|
History of links between:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item x509 certificates (And therefore their fields)
|
\item x509 certificates (And therefore their fields),
|
||||||
\item Ports
|
\item ports,
|
||||||
\item IP address
|
\item IP address,
|
||||||
\item Client (ja3)
|
\item client (ja3),
|
||||||
\item Server (ja3s)
|
\item server (ja3s),
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
\begin{displayquote}
|
||||||
|
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
|
||||||
|
\end{displayquote}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Problem statement}
|
\frametitle{Problem statement}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item CIRCL already offers a similar service based on SSLDump
|
\item CIRCL already offers a similar service based on SSLDump\footnote{https://www.circl.lu/services/passive-ssl/},
|
||||||
\item SSLDump needs some love - maintaining it is hard
|
\item SSLDump needs some love - maintaining it is hard,
|
||||||
\item Alternatives do not span the entire TLS Handshake (Salesforce's ja3)
|
\item SSLDump needs some love - extending it even harder,
|
||||||
\item TCP reassembly is not an easy problem to solve (Cloudfare uses tshark)
|
\item nlternatives do not span the entire TLS Handshake (Salesforce's
|
||||||
|
ja3\footnote{https://github.com/salesforce/ja3}),
|
||||||
|
\item TCP reassembly is not an easy problem to solve (Cloudfare's uses tshark\footnote{https://github.com/cloudflare/mitmengine}),
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -71,15 +78,15 @@
|
||||||
\frametitle{sensor-d4-tls-fingerprinting}
|
\frametitle{sensor-d4-tls-fingerprinting}
|
||||||
Main features:
|
Main features:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Take over SSLDump's duty
|
\item take over SSLDump's duty,
|
||||||
\item written in Golang
|
\item written in Golang
|
||||||
\item uses Go packet for tcp reassembly and spans whole handshake
|
\item uses Go packet for tcp reassembly and spans whole TLS handshake
|
||||||
\item ja3, ja3s, certificates, ip src / dst, port src / dst, TLSH
|
\item ja3, ja3s, certificates, ip src / dst, port src / dst, TLSH
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
Current caveats:
|
Current caveats:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Support for TLS 1.3 pending
|
\item Support for TLS 1.3 pending
|
||||||
\item Reassembly requires RAM
|
\item Reassembly consumes a lot of RAM
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -106,7 +113,7 @@
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{sensor-d4-tls-fingerprinting - collectoin}
|
\frametitle{sensor-d4-tls-fingerprinting - collection}
|
||||||
|
|
||||||
\input{d4-tlsf.tex}
|
\input{d4-tlsf.tex}
|
||||||
|
|
||||||
|
@ -131,17 +138,55 @@ Depends on libpcap.
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}[fragile]
|
||||||
\frametitle{sensor-d4-tls-fingerprinting - d4 client}
|
\frametitle{sensor-d4-tls-fingerprinting - d4 client}
|
||||||
\input{pipe.tex}
|
Required setting:
|
||||||
\vspace{.8cm}
|
\begin{itemize}
|
||||||
D4 server requires a meta-header in order to accept this data:
|
\item type should be set to 2 or 254
|
||||||
|
\item metaheader.json should state type: ja3-jl
|
||||||
|
\end{itemize}
|
||||||
\input{metaheader.json}
|
\input{metaheader.json}
|
||||||
|
\vspace{.5cm}
|
||||||
|
\input{pipe.tex}
|
||||||
|
In the present setting the sensor will:
|
||||||
|
\begin{itemize}
|
||||||
|
\item describe every TLS Sessions,
|
||||||
|
\item marshal this description in JSON format
|
||||||
|
\item ship this description to D4 server
|
||||||
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}[fragile]
|
||||||
\frametitle{sensor-d4-tls-fingerprinting - d4 worker}
|
\frametitle{sensor-d4-tls-fingerprinting - d4 worker}
|
||||||
\input{worker.tex}
|
\input{worker.tex}
|
||||||
|
\begin{itemize}
|
||||||
|
\item processes each reassembled JSON description,
|
||||||
|
\item extracts x509 certificates and write to disk,
|
||||||
|
\item writes JSON description to disk,
|
||||||
|
\item push the files paths to the analyzer.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{sensor-d4-tls-fingerprinting - d4 analyzer}
|
||||||
|
(Proof of Concept)
|
||||||
|
\begin{itemize}
|
||||||
|
\item LPOP a redis list populated by the worker
|
||||||
|
\item dumbly push JSON description into a postgres database
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{sensor-d4-tls-fingerprinting - d4 passivessl API}
|
||||||
|
(Proof of Concept)
|
||||||
|
|
||||||
|
Exposes a REST API to query the collected data:
|
||||||
|
\begin{itemize}
|
||||||
|
\item /index : returns, the full DB :)
|
||||||
|
\item /ja3/ : returns, all TLS sessions with a given JA3 Signature
|
||||||
|
\item /ja3s/ : returns, all TLS sessions with a given JA3S Signature
|
||||||
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
\begin{lstlisting}
|
\begin{lstlisting}
|
||||||
./d4-tlsf-amd64 ... | ./d4-amd64 -c conf.folder
|
./d4-tlsf-amd64 -i eth0 | ./d4-amd64 -c conf.crq
|
||||||
\end{lstlisting}
|
\end{lstlisting}
|
|
@ -0,0 +1,11 @@
|
||||||
|
\begin{lstlisting}
|
||||||
|
def __init__(self, uuid, json_file):
|
||||||
|
super().__init__(uuid, json_file)
|
||||||
|
self.set_rotate_file_mode(False)
|
||||||
|
|
||||||
|
def process_data(self, data):
|
||||||
|
self.reconstruct_data(data)
|
||||||
|
|
||||||
|
def handle_reconstructed_data(self, data):
|
||||||
|
...
|
||||||
|
\end{lstlisting}
|
Loading…
Reference in New Issue