HTTPSハニポとFingerprint

HTTPSFingerprint @junk_coken

• 3(@junk_coken) • HTTP &*/% ' ($-
' )+",# !.

HTTPS HTTPS ()

HTTPS 1. • DDNSOK 2. let’s encrypt
3. Nginx

HTTPHTTPS 0 200 400 600 800 1000 1200 HTTP
HTTPS 2019129201922 1134 60 HTTPS 468

Fingerprint

Fingerprinting ( ) Machine Fingerprint
Fingerprinting

Fingerprinting Passive fingerprinting • ( )

Fingerprinting Active fingerprinting • (JavaScript )

HoneypotFingerprint • p0f • OS " • T-POT #
• FingerprintJS • % • Micro Honeypot ($ '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

fingerprintjs2 - https://valve.github.io/fingerprintjs2/

HoneypotFingerprint • p0f • OS " • T-POT #
• FingerprintJS • % • Micro Honeypot ($ '& • TLS Fingerprint • JA3, HASSH →OSS SSHCowrie !(HASSH)

JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016
TLS Fingerprinting1 • HTTPS>8-45 3 E2. $ # /@=? D; ),# >8%# 6C: (-A7”(+ B9>8 0<” )

JA3 1. Client Hello 2. Server Hello, Server Certificate, Server
Key Exchange, Server Hello Done 3. Client Key Exchange, Change Cipher Spec, Finished 4. Change Cipher Spec, Finished HTTPS JA3

JA3 Client Hello • SSL Version • Cipher
Suite • Extension • Elliptic Curves • Elliptic Curve Point Formats 10 MD5

16 ← 771 ← 49162 ← 49195 ← 49169 ←
49159 ← 49171 ← 49161 ← 49172 ← 49199 ← 5 ← 47 ← 53 ← 49170 ← 10 ← 0 ← 5 ← 10 ← 23 ← 24 ← 25 ← 11 ← 13 ← 65281 771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,0-5-10- 11-13-65281,23-24-25,0 ↓MD5 20c9baf81bfe96ff89722899e75d0190

Web (Nginx) tcpdump( )
(pcap) HTTPS ELK

Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3 fingerprint
•

Fingerprint fingerprint

• HTTPS # & →% ! •
"( '$

ma couleur

HTTPSハニポとFingerprint

HTTPSハニポとFingerprint

junk_coken

More Decks by junk_coken

Other Decks in Technology

Featured

Transcript

HTTPSFingerprint @junk_coken

• 3(@junk_coken) • HTTP &*/% ' ($-

HTTPS HTTPS ()

HTTPS 1. • DDNSOK 2. let’s encrypt

HTTPHTTPS 0 200 400 600 800 1000 1200 HTTP

Fingerprint

Fingerprinting ( ) Machine Fingerprint

Fingerprinting Passive fingerprinting • ( )

Fingerprinting Active fingerprinting • (JavaScript )

HoneypotFingerprint • p0f • OS " • T-POT #

fingerprintjs2 - https://valve.github.io/fingerprintjs2/

HoneypotFingerprint • p0f • OS " • T-POT #

JA3 JA3(https://github.com/salesforce/ja3) • $ &%,'*,",!+ • Black Hat Arsenal 2016

JA3 1. Client Hello 2. Server Hello, Server Certificate, Server

JA3 Client Hello • SSL Version • Cipher

16 ← 771 ← 49162 ← 49195 ← 49169 ←

Web (Nginx) tcpdump( )

Fingerprint ja3fingerprint.json (https://github.com/trisulnsm/trisul- scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints) • JA3 fingerprint

Fingerprint fingerprint

• HTTPS # & →% ! •

ma couleur