Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPSハニポとFingerprint

C853c16b1d116a78602d60914fa3ef54?s=47 junk_coken
March 09, 2019
Technology
1
1.2k

 HTTPSハニポとFingerprint

2019年3月9日に行われた第6回ハニーポッター技術交流会で発表したLT資料です。

C853c16b1d116a78602d60914fa3ef54?s=128

junk_coken

March 09, 2019
Tweet

More Decks by junk_coken

See All by junk_coken
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
0
1.3k
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
2
710
C853c16b1d116a78602d60914fa3ef54?s=48 junk_coken
1
3k

Other Decks in Technology

See All in Technology
4e7f712e4bba241f579d3dc0eaf130d4?s=48 mito201
0
360
F97943a70302823ff0e66434dc70b389?s=48 liviagabos
0
150
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
120
1ff811939fd0923df8321ec6d8bf9d4b?s=48 jxck
1
660
609308e6510e41133d30460eef1ccd36?s=48 no24oka
0
210
332f89cc697355902a817506b6995f2b?s=48 ytaka23
4
790
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
130
3e8f61263f14a620f21d5f3f89c4b846?s=48 gamella
1
1.3k
1741a7877b6ff93bf29af4d11c2c895e?s=48 ryan403
0
150
96c31fe94f5e9b0eef4a606eaadcbc04?s=48 yoshiiryo1
2
380
A1792748885fe8f2555d9c718ee7ae53?s=48 joytomo
1
340
1405a601755e5fcbfdc93a2560368bb1?s=48 freddi
3
170

Featured

See All Featured
Ecdea9b9714877b86cee08458f085481?s=48 trallard
23
1.1k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
55
4.6k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
287
47k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
48
2.8k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
263
11k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
315
21k
245cee81a9c424266e5e401d844ea881?s=48 lara
594
61k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
209
10k
79acae287842acf29084005533a7fb3b?s=48 hursman
111
9.4k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.1k

Transcript

  1. HTTPSFingerprint @junk_coken

  2.  • 3(@junk_coken) • HTTP &*/% '   ($-

    '   )+",# !. 

  3. HTTPS  HTTPS   ()

  4. HTTPS 1.   • DDNSOK 2. let’s encrypt 

     3. Nginx

  5. HTTPHTTPS  0 200 400 600 800 1000 1200 HTTP

    HTTPS 2019129201922   1134 60 HTTPS 468

  6. Fingerprint

  7. Fingerprinting   (  )   Machine Fingerprint

     Fingerprinting

  8. Fingerprinting Passive fingerprinting •   ( )

  9. Fingerprinting Active fingerprinting •   (JavaScript )

  10. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  11. fingerprintjs2  - https://valve.github.io/fingerprintjs2/

  12. HoneypotFingerprint • p0f • OS " • T-POT  #

     • FingerprintJS • % • Micro Honeypot ($  '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

  13. JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016

    TLS Fingerprinting1 • HTTPS>8-45 3 E2. $ # /@=? D; ),# >8%# 6C: (-A7”(+ B9>8 0<” )

  14. JA3 1. Client Hello 2. Server Hello, Server Certificate, Server

    Key Exchange, Server Hello Done 3. Client Key Exchange, Change Cipher Spec, Finished 4. Change Cipher Spec, Finished   HTTPS  JA3

  15. JA3 Client Hello   • SSL Version • Cipher

    Suite • Extension • Elliptic Curves • Elliptic Curve Point Formats 10 MD5 

  16. 16 ← 771 ← 49162 ← 49195 ← 49169 ←

    49159 ← 49171 ← 49161 ← 49172 ← 49199 ← 5 ← 47 ← 53 ← 49170 ← 10 ← 0 ← 5 ← 10 ← 23 ← 24 ← 25 ← 11 ← 13 ← 65281 771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,0-5-10- 11-13-65281,23-24-25,0 ↓MD5 20c9baf81bfe96ff89722899e75d0190

  17.   Web (Nginx) tcpdump(  )   

    (pcap) HTTPS    ELK  

  18. Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3  fingerprint  

    •   

  19. Fingerprint fingerprint   

  20.  • HTTPS # &  →%  ! •

     "( '$

  21. ma couleur