Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTPSハニポとFingerprint
Search
junk_coken
March 09, 2019
Technology
1
1.9k
HTTPSハニポとFingerprint
2019年3月9日に行われた第6回ハニーポッター技術交流会で発表したLT資料です。
junk_coken
March 09, 2019
Tweet
Share
More Decks by junk_coken
See All by junk_coken
6/14総サイLT~ハニーポットを作ってる話~
junk_coken
0
1.8k
ハニーポットで集める攻撃手法-seccamp2016
junk_coken
2
930
ハニーポットで捕らえるWordPressへの攻撃
junk_coken
1
3.7k
Other Decks in Technology
See All in Technology
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
630
端末が簡単にリモートから操作されるデモを通じて ソフトウェアサプライチェーン攻撃対策の重要性を理解しよう
kitaji0306
0
170
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
[JAWS-UG金沢支部×コンテナ支部合同企画]コンテナとは何か
furuton
3
230
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
100
フルカイテン株式会社 採用資料
fullkaiten
0
36k
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
3.9k
30万人が利用するチャットをFirebase Realtime DatabaseからActionCableへ移行する方法
ryosk7
5
330
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
160
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k
Featured
See All Featured
Writing Fast Ruby
sferik
626
61k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
A Tale of Four Properties
chriscoyier
156
23k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Testing 201, or: Great Expectations
jmmastey
38
7k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
Done Done
chrislema
181
16k
A Philosophy of Restraint
colly
203
16k
Rails Girls Zürich Keynote
gr2m
93
13k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Transcript
HTTPSFingerprint @junk_coken
• 3(@junk_coken) • HTTP &*/% ' ($-
' )+",# !.
HTTPS HTTPS ()
HTTPS 1. • DDNSOK 2. let’s encrypt
3. Nginx
HTTPHTTPS 0 200 400 600 800 1000 1200 HTTP
HTTPS 2019129201922 1134 60 HTTPS 468
Fingerprint
Fingerprinting ( ) Machine Fingerprint
Fingerprinting
Fingerprinting Passive fingerprinting • ( )
Fingerprinting Active fingerprinting • (JavaScript )
HoneypotFingerprint • p0f • OS " • T-POT #
• FingerprintJS • % • Micro Honeypot ($ '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)
fingerprintjs2 - https://valve.github.io/fingerprintjs2/
HoneypotFingerprint • p0f • OS " • T-POT #
• FingerprintJS • % • Micro Honeypot ($ '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)
JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016
TLS Fingerprinting1 • HTTPS>8-45 3 E2. $ # /@=? D; ),# >8%# 6C: (-A7”(+ B9>8 0<” )
JA3 1. Client Hello 2. Server Hello, Server Certificate, Server
Key Exchange, Server Hello Done 3. Client Key Exchange, Change Cipher Spec, Finished 4. Change Cipher Spec, Finished HTTPS JA3
JA3 Client Hello • SSL Version • Cipher
Suite • Extension • Elliptic Curves • Elliptic Curve Point Formats 10 MD5
16 ← 771 ← 49162 ← 49195 ← 49169 ←
49159 ← 49171 ← 49161 ← 49172 ← 49199 ← 5 ← 47 ← 53 ← 49170 ← 10 ← 0 ← 5 ← 10 ← 23 ← 24 ← 25 ← 11 ← 13 ← 65281 771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,0-5-10- 11-13-65281,23-24-25,0 ↓MD5 20c9baf81bfe96ff89722899e75d0190
Web (Nginx) tcpdump( )
(pcap) HTTPS ELK
Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3 fingerprint
•
Fingerprint fingerprint
• HTTPS # & →% ! •
"( '$
ma couleur