Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPSハニポとFingerprint

C853c16b1d116a78602d60914fa3ef54?s=47 junk_coken
March 09, 2019
Technology
1
1.2k

 HTTPSハニポとFingerprint

2019年3月9日に行われた第6回ハニーポッター技術交流会で発表したLT資料です。

C853c16b1d116a78602d60914fa3ef54?s=128

junk_coken

March 09, 2019
Tweet

More Decks by junk_coken

See All by junk_coken
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
0
1.3k
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
2
700
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
1
2.9k

Other Decks in Technology

See All in Technology
4631864606a93224804a49331d1a7dfd?s=48 fufuhu
3
140
D61ecb299008e313b7a375e186a0d6ae?s=48 gobeyond20xx
0
170
F73ac5e3ccf3d4dbfffff61b14d2335c?s=48 pakio
0
110
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
0
140
8611672fd60a86cd19c972c61df3c99f?s=48 900groove
2
330
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
120
Cd931bc05e7cee46b9a950a63e47ba4c?s=48 you
0
280
Ff7f1f76468f46a1c5c84b9238a4b162?s=48 miyake
1
420
40c17fd99791bbfbed1730cd1ae5a2c0?s=48 mii3king
0
420
8d50e289d6e35d7c1d8aca929b439e46?s=48 myajiri
0
320
3a95702770e66754d87b824c1400054f?s=48 oliva
7
1.1k
5b392dc79d5b6d1dab580bf60e26fb7c?s=48 nitya
0
210

Featured

See All Featured
78b475797a14c84799063c7cd073962f?s=48 holman
288
130k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
31
3.4k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
332
29k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
78b475797a14c84799063c7cd073962f?s=48 holman
448
130k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
10
1.5k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
82
4.7k
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
206
6.9k
24fc194843a71f10949be18d5a692682?s=48 gr2m
83
11k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
107
14k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
1
520
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
24
2.5k

Transcript

  1. HTTPSFingerprint @junk_coken

  2.  • 3(@junk_coken) • HTTP &*/% '   ($-

    '   )+",# !. 

  3. HTTPS  HTTPS   ()

  4. HTTPS 1.   • DDNSOK 2. let’s encrypt 

     3. Nginx

  5. HTTPHTTPS  0 200 400 600 800 1000 1200 HTTP

    HTTPS 2019129201922   1134 60 HTTPS 468

  6. Fingerprint

  7. Fingerprinting   (  )   Machine Fingerprint

     Fingerprinting

  8. Fingerprinting Passive fingerprinting •   ( )

  9. Fingerprinting Active fingerprinting •   (JavaScript )

  10. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  11. fingerprintjs2  - https://valve.github.io/fingerprintjs2/

  12. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  13. JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016

    TLS Fingerprinting1 • HTTPS>8-45 3 E2. $ # /@=? D; ),# >8%# 6C: (-A7”(+ B9>8 0<” )

  14. JA3 1. Client Hello 2. Server Hello, Server Certificate, Server

    Key Exchange, Server Hello Done 3. Client Key Exchange, Change Cipher Spec, Finished 4. Change Cipher Spec, Finished   HTTPS  JA3

  15. JA3 Client Hello   • SSL Version • Cipher

    Suite • Extension • Elliptic Curves • Elliptic Curve Point Formats 10 MD5 

  16. 16 ← 771 ← 49162 ← 49195 ← 49169 ←

    49159 ← 49171 ← 49161 ← 49172 ← 49199 ← 5 ← 47 ← 53 ← 49170 ← 10 ← 0 ← 5 ← 10 ← 23 ← 24 ← 25 ← 11 ← 13 ← 65281 771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,0-5-10- 11-13-65281,23-24-25,0 ↓MD5 20c9baf81bfe96ff89722899e75d0190

  17.   Web (Nginx) tcpdump(  )   

    (pcap) HTTPS    ELK  

  18. Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3  fingerprint  

    •   

  19. Fingerprint fingerprint   

  20.  • HTTPS # &  →%  ! •

     "( '$

  21. ma couleur