Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Blue Team TLS Hugs
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Lee Brotherston
July 29, 2017
Technology
360
0
Share
Blue Team TLS Hugs
My talk given at the Crypto & Privacy Village at Defcon 25
Lee Brotherston
July 29, 2017
More Decks by Lee Brotherston
See All by Lee Brotherston
TLS Tools for Blue Teams
leebrotherston
0
160
Abusing TLS For Defensive Wins
leebrotherston
2
1.1k
TLS Fingerprinting SecTorCA Edition
leebrotherston
0
190
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
leebrotherston
0
240
The Cynical Trust Model
leebrotherston
0
62
Corporation In The Middle
leebrotherston
0
130
Corporation In The Middle - SecTor
leebrotherston
0
54
Incident Response for Cheapskates - BSidesTO 2013
leebrotherston
0
80
Other Decks in Technology
See All in Technology
Cortex Code君、今日から内製化支援担当ね。
coco_se
0
190
SSoT(Single Source of Truth)で「壊して再生」する設計
kawauso
2
420
不確実性と戦いながら見積もりを作成するプロセス/mitsumori-process
hirodragon112
1
180
OPENLOGI Company Profile for engineer
hr01
1
62k
Datadog で実現するセキュリティ対策 ~オブザーバビリティとセキュリティを 一緒にやると何がいいのか~
a2ush
0
190
Babylon.js を使って試した色々な内容 / Various things I tried using Babylon.js / Babylon.js 勉強会 vol.5
you
PRO
0
200
Zephyr(RTOS)でOpenPLCを実装してみた
iotengineer22
0
180
Blue/Green Deployment を用いた PostgreSQL のメジャーバージョンアップ
kkato1
1
230
OpenClaw初心者向けセミナー / OpenClaw Beginner Seminar
cmhiranofumio
0
240
The essence of decision-making lies in primary data
kaminashi
0
230
【関西電力KOI×VOLTMIND 生成AIハッカソン】空間AIブレイン ~⼤阪おばちゃんフィジカルAIに続く道~
tanakaseiya
0
110
最大のアウトプット術は問題を作ること
ryoaccount
0
270
Featured
See All Featured
Designing Powerful Visuals for Engaging Learning
tmiket
1
320
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.4k
Marketing to machines
jonoalderson
1
5.1k
Into the Great Unknown - MozCon
thekraken
40
2.3k
A designer walks into a library…
pauljervisheath
211
24k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.2k
The #1 spot is gone: here's how to win anyway
tamaranovitovic
2
1k
Deep Space Network (abreviated)
tonyrice
0
100
Abbi's Birthday
coloredviolet
2
6.2k
SEO for Brand Visibility & Recognition
aleyda
0
4.4k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
170
Transcript
Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs
SSL TLS does what now? Lee Brotherston - @synackpse -
#TLSHugs
Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust
Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs
Current State of the Art Lee Brotherston - @synackpse -
#TLSHugs
- Ignore TLS - Break TLS - Embrace TLS Lee
Brotherston - @synackpse - #TLSHugs
Ignore TLS Lee Brotherston - @synackpse - #TLSHugs
IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)
34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs
permit any > any port 443 Universal Firewall Bypass Port!
Lee Brotherston - @synackpse - #TLSHugs
ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -
@synackpse - #TLSHugs
So, what then? Lee Brotherston - @synackpse - #TLSHugs
EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs
Blacklists Lee Brotherston - @synackpse - #TLSHugs
Break TLS Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs
Break The CA Model …. even more Lee Brotherston -
@synackpse - #TLSHugs
Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs
Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs
Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs
Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs
“Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs
Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston
- @synackpse - #TLSHugs
Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs
Malicious Insider Lee Brotherston - @synackpse - #TLSHugs
Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs
Goals Lee Brotherston - @synackpse - #TLSHugs
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs
“Perfection is the enemy of good enough” Lee Brotherston -
@synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs
TLS Fingerprinting (I hear someone did a talk on that)
…. (it was me) Lee Brotherston - @synackpse - #TLSHugs
Spotting $bad Lee Brotherston - @synackpse - #TLSHugs
None
[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs
Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs
None
Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs
Vorführeffekt
OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Server Responses Lee Brotherston - @synackpse - #TLSHugs
Certificates Lee Brotherston - @synackpse - #TLSHugs
Do You Even IDS, Bro? Lee Brotherston - @synackpse -
#TLSHugs
Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs
TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response Nope Lee Brotherston - @synackpse - #TLSHugs
Proxy Server Client TLS Request Response Request Response TLS Version
Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs
Subtractive only Lee Brotherston - @synackpse - #TLSHugs
The Compliances Lee Brotherston - @synackpse - #TLSHugs
A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓
One more thing… Lee Brotherston - @synackpse - #TLSHugs
8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee
Brotherston - @synackpse - #TLSHugs
Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:
gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs
Conclusion Lee Brotherston - @synackpse - #TLSHugs
Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>
TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs
Any Questions? Lee Brotherston - @synackpse - #TLSHugs
SiteGround - Reliable hosting with speed, security, and support you can count on.
leebrotherston
coco_se
kawauso
hirodragon112
hr01
a2ush
you
iotengineer22
kkato1
cmhiranofumio
kaminashi
tanakaseiya
ryoaccount
tmiket
sergeychernyshev
jonoalderson
thekraken
pauljervisheath
pedronauck
aleyda
tamaranovitovic
tonyrice
coloredviolet
nikkihalliwell
![Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs](https://files.speakerdeck.com/presentations/aa35560f56a348a0bf881c6676b9d9c7/slide_21.jpg){kind=link}
![[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs](https://files.speakerdeck.com/presentations/aa35560f56a348a0bf881c6676b9d9c7/slide_33.jpg){kind=link}
