Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPSハニポとFingerprint

C853c16b1d116a78602d60914fa3ef54?s=47 junk_coken
March 09, 2019
Technology
1
1.3k

 HTTPSハニポとFingerprint

2019年3月9日に行われた第6回ハニーポッター技術交流会で発表したLT資料です。

C853c16b1d116a78602d60914fa3ef54?s=128

junk_coken

March 09, 2019
Tweet

More Decks by junk_coken

See All by junk_coken
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
0
1.4k
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
2
720
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
1
3.1k

Other Decks in Technology

See All in Technology
79296c878944dabeffcc122318d84f34?s=48 cocacola917
0
4.3k
D8d463da5ab4a99265ffc1d12e76cbc9?s=48 sagara
1
290
13d936e697fe0f4fa96f926d0a712f6c?s=48 sansanbuildersbox
PRO
0
110
B3a78cfbf06ca9ee860536c6d1de5e7f?s=48 ykanoh
0
360
A645e7c3a6635ead8fa323c583769591?s=48 hololab
0
610
23f4d5d797a91b6d17d627b90b5a42d9?s=48 kentaro
0
160
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
150
Fb925cff494f6a5158a461493be48066?s=48 yuzutas0
1
1k
8fa31051503b09846584c49cd53d2f80?s=48 asei
1
280
C47bda32c8455a59471cd7e19c32c074?s=48 hamadakoji
0
270
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
550
4cafe6a1c6287d64d7252279eeeffa94?s=48 moongift
0
130

Featured

See All Featured
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
37
4.9k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
342
16k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
67
4.5k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
64
10k
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
238
10k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.3k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
372
43k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
105
11k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.1k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
91
8.9k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
227
8.9k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
111
15k

Transcript

  1. HTTPSFingerprint @junk_coken

  2.  • 3(@junk_coken) • HTTP &*/% '   ($-

    '   )+",# !. 

  3. HTTPS  HTTPS   ()

  4. HTTPS 1.   • DDNSOK 2. let’s encrypt 

     3. Nginx

  5. HTTPHTTPS  0 200 400 600 800 1000 1200 HTTP

    HTTPS 2019129201922   1134 60 HTTPS 468

  6. Fingerprint

  7. Fingerprinting   (  )   Machine Fingerprint

     Fingerprinting

  8. Fingerprinting Passive fingerprinting •   ( )

  9. Fingerprinting Active fingerprinting •   (JavaScript )

  10. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  11. fingerprintjs2  - https://valve.github.io/fingerprintjs2/

  12. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  13. JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016

    TLS Fingerprinting1 • HTTPS>8-45 3 E2. $ # /@=? D; ),# >8%# 6C: (-A7”(+ B9>8 0<” )

  14. JA3 1. Client Hello 2. Server Hello, Server Certificate, Server

    Key Exchange, Server Hello Done 3. Client Key Exchange, Change Cipher Spec, Finished 4. Change Cipher Spec, Finished   HTTPS  JA3

  15. JA3 Client Hello   • SSL Version • Cipher

    Suite • Extension • Elliptic Curves • Elliptic Curve Point Formats 10 MD5 

  16. 16 ← 771 ← 49162 ← 49195 ← 49169 ←

    49159 ← 49171 ← 49161 ← 49172 ← 49199 ← 5 ← 47 ← 53 ← 49170 ← 10 ← 0 ← 5 ← 10 ← 23 ← 24 ← 25 ← 11 ← 13 ← 65281 771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,0-5-10- 11-13-65281,23-24-25,0 ↓MD5 20c9baf81bfe96ff89722899e75d0190

  17.   Web (Nginx) tcpdump(  )   

    (pcap) HTTPS    ELK  

  18. Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3  fingerprint  

    •   

  19. Fingerprint fingerprint   

  20.  • HTTPS # &  →%  ! •

     "( '$

  21. ma couleur