Identifying groups of attackers with similar tools or behaviors is useful for profiling and discovering the connections between them. This talk will explore how I collect JA3, a SSL/TLS client fingerprint, to profile attackers and internet-wide SSL/TLS scans. The talk will provide some interesting observations and the first identified attempt to evade SSL/TLS client fingerprinting!

1. honeyTLS
Profiling and Clustering Internet-wide
SSL/TLS Scans with JA3
A D E L K A R I M I
Taiwan 2018
The Honeynet Project

2. $whoami
• 0x4D31
• Threat Detection and Hunting
• Sr Detection Engineer, Salesforce ☁
• Member & Ex-Chapter Lead @HoneynetProject Since 2010

3. Background

4. SSL/TLS Handshake
• Message Flow for a SSL/TLS Handshake
Client Server
-------- [ClientHello] -------->
<------- [ServerHello] ---------
<------- [Certificate] ---------
...
<----- [ServerHelloDone] -------
----- [ClientKeyExchange] ----->
...
<----- [Application Data] ----->
Reference: https://tools.ietf.org/html/rfc5246

5. SSL/TLS clientHello
• When a client first connects to a server, it is required
to send the ClientHello as its first message.
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites<2..2^16-2>;
CompressionMethod compression_methods<1..2^8-1>;
select (extensions_present) {
case false:
struct {};
case true:
Extension extensions<0..2^16-1>;
};
} ClientHello;
Reference: https://tools.ietf.org/html/rfc5246

6. The cipher suite list in the ClientHello
message, contains the combinations
of cryptographic algorithms
supported by the client
in order of the client's preference

7. {
SSL/TLS clientHello

8. SSL/TLS Client
Fingerprinting

9. FingerprinTLS
• A set of tools developed by Lee Brotherston to
enable the matching, creation, and export of TLS
Fingerprints.
• record_tls_version, tls_version, ciphersuite_length,
ciphersuite, compression_length, compression,
e_curves, sig_alg, ec_point_fmt
• Applications:
• Passive Detection
• Fingerprint Defined Routing -> Honeypot
Reference: https://github.com/LeeBrotherston/tls-fingerprinting

10. sslhaf
• An Apache module that passively monitors initial
SSL handshakes to extract and log SSL client
capabilities
Reference: https://github.com/ssllabs/sslhaf

11. p0f
• Marek’s SSL Fingerprinting module for p0f
• SSL Client Signatures
Reference: https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/

12. Profiling SSL/TLS Clients w/
JA3

13. JA3
• A method for creating SSL/TLS client fingerprints
that are easy to produce and can be easily shared
for threat intelligence.
SSLVersion,Ciphers,Extensions,EllipticCurves,
EllipticCurvePointFormats
• Example:
• JA3 string: 769,47–53–5–10–49161–49162–49171–49172–
50–56–19–4,0–10–11,23–24–25,0
• JA3 hash (md5): ada70206e40642a3e4461f35503241d5
Reference: https://github.com/salesforce/ja3

14. honeyTLS
A stupidly simple honeypot using
Bro+JA3 script and Nginx!

15. Nginx
Several open SSL ports
Redirect 80 to 443
Collect Access_logs
<blah blah, userAgent, Request>

16. Nginx
Listen on some SSL ports
Redirect 80 to 443
Collect Access_logs
<blah blah, userAgent, Request>

17. Nginx
Listen on some SSL ports
Redirect 80 to 443
Collect Access_logs
<blah blah, userAgent, Request>

18. Nginx
Listen on some SSL ports
Redirect 80 to 443
Collect Access_log
<blah blah, userAgent, Request>

19. Nginx
Listen on some SSL ports
Redirect 80 to 443
Collect Access_log
{… , userAgent, request}

20. Bro
apt-get/yum install bro!
Add JA3 script
Collect SSL.log
<blah blah, server_name, ja3_hash, ja3_fileds>

21. Bro
apt-get/yum install bro!
Add JA3 script
Collect SSL.log
<blah blah, server_name, ja3_hash, ja3_fileds>

22. Bro
apt-get/yum install bro!
Add JA3 script
Collect SSL.log
<blah blah, server_name, ja3_hash, ja3_fileds>

23. Bro
apt-get/yum install bro!
Add JA3 script
Collect SSL.log
<blah blah, server_name, ja3_hash, ja3_fileds>

24. Bro
apt-get/yum install bro!
Add JA3 script
Collect SSL.log
{… , server_name, ja3, ja3_str}

25. < Splunk
access_log join ssl.log
<ipSrc, ja3, ja3_str, userAgent, request>
Enrich the data w/ GrayNoise API

26. < Splunk
access_log join ssl.log
<ipSrc, ja3, ja3_str, userAgent, request>
Enrich the data w/ GrayNoise API

27. < Splunk
access_log join ssl.log
{…, ipSrc, ja3, ja3_str, userAgent, request}
Enrich the data w/ GrayNoise API

28. < Splunk
access_log join ssl.log
{…, ipSrc, ja3, ja3_str, userAgent, request}
Enrich the data w/ GrayNoise API

29. Some dirty scripts here (will be updated soon):
https://github.com/0x4D31/honeyTLS

30. Data Analysis & Visualization
Profiling the Tools and Actors

31. Stats stats by actor
known ja3 fingerprints
top SSL ports

32. Stats
stats by ASN
stats by OS
stats by org

33. ipSrc —> ja3

34. ipSrc —> ja3

35. ipSrc —> ja3

36. ipSrc —> ja3

37. ipSrc —> ja3

38. o/
Identified some attempts to avoid
SSL/TLS fingerprinting by randomizing
the clientHello fields!

39. Fingerprint Modification - I

40. Fingerprint Modification - I

41. Fingerprint Modification - I

42. Fingerprint Modification - I

43. Fingerprint Modification - I
<demo>

48. Fingerprint Modification - II

49. Fingerprint Modification - II

50. Fingerprint Modification - II

52. ipSrc —> ja3

53. Fingerprint Modification - III

54. Fingerprint Modification - III

55. Unknown Thing!
ipSrc —> ja3

56. Unknown Thing!

57. Other
Interesting
Observations

58. Tor Exit Nodes
Tor=true | stats count by ja3

59. Tor Exit Nodes

60. Fake User-Agent

61. Fake User-Agent

62. Bitcoin
• Requests to get Bitcoin wallet files
• User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
65.0.3325.162 Safari/537.36
• ja3: be1a7de97ea176604a3c70622189d78d

63. Future Works
* honeyTLS sensor v0.2
* Automated log correlation and reporting
* Anomaly detection using clientHello fields
…

64. THANK YOU
ADEL KARIMI, @0x4D31