159 lines
4.6 KiB
TeX
159 lines
4.6 KiB
TeX
% Full instructions available at:
|
|
% https://github.com/elauksap/focus-beamertheme
|
|
|
|
\documentclass{beamer}
|
|
\usetheme[numbering=progressbar]{focus}
|
|
\usepackage{tikz}
|
|
\usetikzlibrary{positioning}
|
|
\usetikzlibrary{shapes,arrows}
|
|
\usepackage{transparent}
|
|
\usepackage{fancyvrb}
|
|
\usepackage{listings}
|
|
\definecolor{main}{RGB}{47, 161, 219}
|
|
%\definecolor{textcolor}{RGB}{128, 128, 128}
|
|
\definecolor{background}{RGB}{240, 247, 255}
|
|
\definecolor{textcolor}{RGB}{85, 87, 83}
|
|
\title{D4 Project}
|
|
\subtitle{Revamping Passive SSL with D4}
|
|
\author{Jean-Louis Huynen}
|
|
\titlegraphic{\includegraphics[width=140pt]{d4-logo.pdf}}
|
|
\institute{Team CIRCL \\ \url{https://www.d4-project.org/}}
|
|
\date{20190329}
|
|
\lstset{%
|
|
language=bash,
|
|
backgroundcolor=\color{gray!25},
|
|
basicstyle=\ttfamily,
|
|
breaklines=true,
|
|
columns=fullflexible
|
|
}
|
|
\begin{document}
|
|
|
|
\begin{frame}
|
|
\maketitle
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{A passive SSL fingerprinter}
|
|
CSIRT's rationale for collecting TLS handshakes:
|
|
\begin{itemize}
|
|
\item Pivot on additional data points
|
|
\item Find owners of IP addresses
|
|
\item Detect usage of CIDR blocks
|
|
\item Detect vulnerable systems
|
|
\item Detect compromised services
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Objectives}
|
|
|
|
History of links between:
|
|
\begin{itemize}
|
|
\item x509 certificates (And therefore their fields)
|
|
\item Ports
|
|
\item IP address
|
|
\item Client (ja3)
|
|
\item Server (ja3s)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Problem statement}
|
|
\begin{itemize}
|
|
\item CIRCL already offers a similar service based on SSLDump
|
|
\item SSLDump needs some love - maintaining it is hard
|
|
\item Alternatives do not span the entire TLS Handshake (Salesforce's ja3)
|
|
\item TCP reassembly is not an easy problem to solve (Cloudfare uses tshark)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{sensor-d4-tls-fingerprinting}
|
|
Main features:
|
|
\begin{itemize}
|
|
\item Take over SSLDump's duty
|
|
\item written in Golang
|
|
\item uses Go packet for tcp reassembly and spans whole handshake
|
|
\item ja3, ja3s, certificates, ip src / dst, port src / dst, TLSH
|
|
\end{itemize}
|
|
Current caveats:
|
|
\begin{itemize}
|
|
\item Support for TLS 1.3 pending
|
|
\item Reassembly requires RAM
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{sensor-d4-tls-fingerprinting}
|
|
\begin{columns}
|
|
\begin{column}{0.5\textwidth}
|
|
\begin{center}
|
|
\includegraphics[scale=0.2]{../../informal-preso/0-intro-banana/monitor.png}
|
|
\end{center}
|
|
\end{column}
|
|
\begin{column}{0.5\textwidth}
|
|
\begin{center}
|
|
\includegraphics[scale=0.2]{../../informal-preso/0-intro-banana/orangepi.png}
|
|
\end{center}
|
|
\end{column}
|
|
\end{columns}
|
|
\hspace{20pt}
|
|
\begin{itemize}
|
|
\item 1 desktop monitored during 15 days
|
|
\item 3327 TLS sessions fingerprinted
|
|
\item 600 unique certificates collected
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{sensor-d4-tls-fingerprinting - collectoin}
|
|
|
|
\input{d4-tlsf.tex}
|
|
|
|
|
|
\begin{tabular}{l|l}
|
|
Options & Explanations\\
|
|
\hline
|
|
-r & read pcap file\\
|
|
-i & read from the interface \\
|
|
-w & dump certificates to folder\\
|
|
-j & write TLS session JSON descriptions to folder\\
|
|
-mbcp & max buffered pages per connection (16) \\
|
|
-mbpt & max total buffered pages (1024) \\
|
|
-d & debug \\
|
|
-v & verbose
|
|
\end{tabular}
|
|
|
|
\vspace{.8cm}
|
|
Available on the D4 project's github page\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}.
|
|
Depends on libpcap.
|
|
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{sensor-d4-tls-fingerprinting - d4 client}
|
|
\input{pipe.tex}
|
|
\vspace{.8cm}
|
|
D4 server requires a meta-header in order to accept this data:
|
|
\input{metaheader.json}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{sensor-d4-tls-fingerprinting - d4 worker}
|
|
\input{worker.tex}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Get in touch if you want to join the project, host a sensor or contribute}
|
|
\begin{itemize}
|
|
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
|
|
\item Contact: info@circl.lu
|
|
\item \url{https://github.com/D4-Project} - \url{https://twitter.com/d4_project}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\end{document}
|