HTTPSハニポとFingerprint

C853c16b1d116a78602d60914fa3ef54?s=47 junk_coken
March 09, 2019
Technology
1
1.1k

 HTTPSハニポとFingerprint

2019年3月9日に行われた第6回ハニーポッター技術交流会で発表したLT資料です。

C853c16b1d116a78602d60914fa3ef54?s=128

junk_coken

March 09, 2019
Tweet

More Decks by junk_coken

See All by junk_coken
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
0
1.1k
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
2
680
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
1
2.9k

Other Decks in Technology

See All in Technology
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
0
220
Cd823abda454a7a2065fe6fe273ae84b?s=48 viva_tweet_x
2
230
26a00012c475c2380cd98cfe5e2e70ef?s=48 ozaki25
0
200
5b47136bedcba2799edf4fcd27ea66d7?s=48 yaegashi
0
150
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
0
340
88964b936e864ca7d326272eaa70fa9a?s=48 hgsgtk
0
1.4k
4615930de72ec08f99d3227761ace0d8?s=48 yenlung
2
440
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
5
340
B51ca7a51ae1fd06bc536fe83e6113e2?s=48 kaz29
6
4.4k
53850955f15249a1a9dc49df6113e400?s=48 line_developers
0
140
E8da8d13d06ca69dbe019ecad71ed2a4?s=48 vinaygaba
1
180
B1cc148711c6a37a5c922b6e72a4ad52?s=48 upura
1
860

Featured

See All Featured
Ecdea9b9714877b86cee08458f085481?s=48 trallard
6
210
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
12
420
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
248
19k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
7.7k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
766
190k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
115
4.7k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
293
38k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
193
15k
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
293
27k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
447
35k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
264
16k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
91
2.8k

Transcript

  1. HTTPSFingerprint @junk_coken

  2.  • 3(@junk_coken) • HTTP &*/% '   ($-

    '   )+",# !. 

  3. HTTPS  HTTPS   ()

  4. HTTPS 1.   • DDNSOK 2. let’s encrypt 

     3. Nginx

  5. HTTPHTTPS  0 200 400 600 800 1000 1200 HTTP

    HTTPS 2019129201922   1134 60 HTTPS 468

  6. Fingerprint

  7. Fingerprinting   (  )   Machine Fingerprint

     Fingerprinting

  8. Fingerprinting Passive fingerprinting •   ( )

  9. Fingerprinting Active fingerprinting •   (JavaScript )

  10. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  11. fingerprintjs2  - https://valve.github.io/fingerprintjs2/

  12. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  13. JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016

    TLS Fingerprinting1 • HTTPS>8-45 3 E2. $ # /@=? D; ),# >8%# 6C: (-A7”(+ B9>8 0<” )

  14. JA3 1. Client Hello 2. Server Hello, Server Certificate, Server

    Key Exchange, Server Hello Done 3. Client Key Exchange, Change Cipher Spec, Finished 4. Change Cipher Spec, Finished   HTTPS  JA3

  15. JA3 Client Hello   • SSL Version • Cipher

    Suite • Extension • Elliptic Curves • Elliptic Curve Point Formats 10 MD5 

  16. 16 ← 771 ← 49162 ← 49195 ← 49169 ←

    49159 ← 49171 ← 49161 ← 49172 ← 49199 ← 5 ← 47 ← 53 ← 49170 ← 10 ← 0 ← 5 ← 10 ← 23 ← 24 ← 25 ← 11 ← 13 ← 65281 771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,0-5-10- 11-13-65281,23-24-25,0 ↓MD5 20c9baf81bfe96ff89722899e75d0190

  17.   Web (Nginx) tcpdump(  )   

    (pcap) HTTPS    ELK  

  18. Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3  fingerprint  

    •   

  19. Fingerprint fingerprint   

  20.  • HTTPS # &  →%  ! •

     "( '$

  21. ma couleur