213 lines
		
	
	
		
			6.8 KiB
		
	
	
	
		
			TeX
		
	
	
			
		
		
	
	
			213 lines
		
	
	
		
			6.8 KiB
		
	
	
	
		
			TeX
		
	
	
| % Full instructions available at:
 | |
| % https://github.com/elauksap/focus-beamertheme
 | |
| 
 | |
| \documentclass{beamer}
 | |
| \usetheme[numbering=progressbar]{focus}
 | |
| \usepackage{tikz}
 | |
| \usetikzlibrary{positioning}
 | |
| \usetikzlibrary{shapes,arrows}
 | |
| \usepackage{transparent}
 | |
| \usepackage{fancyvrb}
 | |
| \usepackage{listings}
 | |
| \usepackage{csquotes}
 | |
| \definecolor{main}{RGB}{47, 161, 219}
 | |
| %\definecolor{textcolor}{RGB}{128, 128, 128}
 | |
| \definecolor{background}{RGB}{240, 247, 255}
 | |
| \definecolor{textcolor}{RGB}{85, 87, 83}
 | |
| \title{D4 Project}
 | |
| \subtitle{Revamping Passive SSL with D4}
 | |
| \author{Jean-Louis Huynen}
 | |
| \titlegraphic{\includegraphics[width=140pt]{d4-logo.pdf}}
 | |
| \institute{Team CIRCL \\ \url{https://www.d4-project.org/}}
 | |
| \date{20190329}
 | |
|  \lstset{%
 | |
|         language=bash,
 | |
|         backgroundcolor=\color{gray!25},
 | |
|         basicstyle=\ttfamily,
 | |
|         breaklines=true,
 | |
|         columns=fullflexible
 | |
|     }
 | |
| \begin{document}
 | |
| 
 | |
| \begin{frame}
 | |
|     \maketitle
 | |
| \end{frame}
 | |
|        
 | |
| \begin{frame}
 | |
|         \frametitle{A passive SSL fingerprinter}
 | |
|         CSIRT's rationale for collecting TLS handshakes:
 | |
|         \begin{itemize}
 | |
|           \item pivot on additional data points,
 | |
|           \item find owners of IP addresses,
 | |
|           \item detect usage of CIDR blocks,
 | |
|           \item detect vulnerable systems,
 | |
|           \item detect compromised services,
 | |
|           \item detect Key material reuse.
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}
 | |
|   \frametitle{Objectives}
 | |
| 
 | |
|         History of links between:
 | |
|         \begin{itemize}
 | |
|           \item x509 certificates (And therefore their fields),
 | |
|           \item ports,
 | |
|           \item IP address,
 | |
|           \item client (ja3),
 | |
|           \item server (ja3s),
 | |
|         \end{itemize}
 | |
|         \begin{displayquote}
 | |
|         ``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
 | |
|         \end{displayquote}
 | |
| \end{frame}
 | |
|  
 | |
| \begin{frame}
 | |
|         \frametitle{Problem statement}
 | |
|         \begin{itemize}
 | |
|           \item CIRCL already offers a similar service based on SSLDump\footnote{https://www.circl.lu/services/passive-ssl/},
 | |
|           \item SSLDump needs some love - maintaining it is hard,
 | |
|           \item SSLDump needs some love - extending it even harder,
 | |
|           \item nlternatives do not span the entire TLS Handshake (Salesforce's
 | |
|             ja3\footnote{https://github.com/salesforce/ja3}),
 | |
|           \item TCP reassembly is not an easy problem to solve (Cloudfare's uses tshark\footnote{https://github.com/cloudflare/mitmengine}),
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}
 | |
|         \frametitle{sensor-d4-tls-fingerprinting}
 | |
|         Main features:
 | |
|         \begin{itemize}
 | |
|           \item take over SSLDump's duty,
 | |
|           \item written in Golang 
 | |
|           \item uses Go packet for tcp reassembly and spans whole TLS handshake
 | |
|           \item ja3, ja3s, certificates, ip src / dst, port src / dst, TLSH
 | |
|         \end{itemize}
 | |
|         Current caveats:
 | |
|         \begin{itemize}
 | |
|           \item Support for TLS 1.3 pending
 | |
|           \item Reassembly consumes a lot of RAM
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}
 | |
|         \frametitle{sensor-d4-tls-fingerprinting}
 | |
|         \begin{columns}
 | |
|             \begin{column}{0.5\textwidth}
 | |
|               \begin{center}
 | |
|                 \includegraphics[scale=0.2]{../../informal-preso/0-intro-banana/monitor.png}
 | |
|               \end{center}
 | |
|             \end{column}
 | |
|             \begin{column}{0.5\textwidth} 
 | |
|               \begin{center}
 | |
|                 \includegraphics[scale=0.2]{../../informal-preso/0-intro-banana/orangepi.png}
 | |
|               \end{center}
 | |
|             \end{column}
 | |
|           \end{columns}
 | |
|           \hspace{20pt}
 | |
|           \begin{itemize}
 | |
|             \item 1 desktop monitored during 15 days
 | |
|             \item 3327 TLS sessions fingerprinted
 | |
|             \item 600 unique certificates collected
 | |
|           \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}
 | |
|         \frametitle{sensor-d4-tls-fingerprinting - collection}
 | |
| 
 | |
|   \input{d4-tlsf.tex}
 | |
| 
 | |
| 
 | |
| \begin{tabular}{l|l}
 | |
| Options & Explanations\\
 | |
| \hline
 | |
|   -r & read pcap file\\
 | |
|   -i & read from the interface \\
 | |
|   -w & dump certificates to folder\\
 | |
|   -j & write TLS session JSON descriptions to folder\\
 | |
|   -mbcp & max buffered pages per connection (16) \\
 | |
|   -mbpt & max total buffered pages (1024) \\
 | |
|   -d & debug \\
 | |
|   -v & verbose
 | |
| \end{tabular}
 | |
| 
 | |
| \vspace{.8cm}
 | |
| Available on the D4 project's github page\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}.
 | |
| Depends on libpcap.
 | |
| 
 | |
| \end{frame}
 | |
| 
 | |
| 
 | |
| \begin{frame}[fragile]
 | |
|         \frametitle{sensor-d4-tls-fingerprinting | d4 client} 
 | |
|         Required setting:
 | |
|         \begin{itemize}
 | |
|         \item type should be set to 2 or 254
 | |
|           \item metaheader.json should state type: ja3-jl
 | |
|         \end{itemize}
 | |
|         \input{metaheader.json}
 | |
|         \vspace{.5cm}
 | |
|         \input{pipe.tex}
 | |
|         In the present setting the sensor will:
 | |
|         \begin{itemize}
 | |
|           \item describe every TLS Sessions,
 | |
|           \item marshal this description in JSON format
 | |
|           \item ship this description to the D4 server
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}
 | |
|         \frametitle{sensor-d4-tls-fingerprinting - ja3-jl plugin} 
 | |
|               \begin{center}
 | |
|                 \includegraphics[scale=0.4]{d4-worker2-ja3-jl.pdf}
 | |
|               \end{center}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}[fragile]
 | |
|         \frametitle{sensor-d4-tls-fingerprinting - ja3-jl worker} 
 | |
|         \input{worker.tex}
 | |
|         \begin{itemize}
 | |
|           \item processes each reassembled JSON description,
 | |
|           \item extracts x509 certificates and write to disk,
 | |
|           \item writes JSON description to disk,
 | |
|           \item push the files paths to the analyzer.
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| \begin{frame}[fragile]
 | |
|         \frametitle{sensor-d4-tls-fingerprinting - ja3-jl analyzer} 
 | |
|         (Work in Progress) \\
 | |
|         \vspace{.8cm} 
 | |
|         Populates a database:
 | |
|         \begin{itemize}
 | |
|           \item LPOP a redis list populated by the worker
 | |
|           \item push JSON descriptions into a postgres database
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| 
 | |
| \begin{frame}[fragile]
 | |
|         \frametitle{sensor-d4-tls-fingerprinting - passivessl API} 
 | |
|         (Work in Progress) \\
 | |
|         \vspace{.8cm} 
 | |
|         Exposes a REST API to query the collected data:
 | |
|         \begin{itemize}
 | |
|           \item /index : returns the full DB (PoC), 
 | |
|           \item /ja3/ : returns all TLS sessions with a given JA3 Signature,
 | |
|           \item /ja3s/ : returns all TLS sessions with a given JA3S Signature,
 | |
|         \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| 
 | |
| \begin{frame}
 | |
| \frametitle{Get in touch if you want to join the project, host a sensor or contribute}
 | |
| \begin{itemize}
 | |
| \item Collaboration can include research partnership, sharing of collected streams or improving the software.
 | |
| \item Contact: info@circl.lu
 | |
| \item \url{https://github.com/D4-Project} -  \url{https://twitter.com/d4_project}
 | |
| \end{itemize}
 | |
| \end{frame}
 | |
| 
 | |
| 
 | |
| \end{document}
 |