Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Blue Team TLS Hugs
Search
Lee Brotherston
July 29, 2017
Technology
0
330
Blue Team TLS Hugs
My talk given at the Crypto & Privacy Village at Defcon 25
Lee Brotherston
July 29, 2017
Tweet
Share
More Decks by Lee Brotherston
See All by Lee Brotherston
TLS Tools for Blue Teams
leebrotherston
0
130
Abusing TLS For Defensive Wins
leebrotherston
2
960
TLS Fingerprinting SecTorCA Edition
leebrotherston
0
160
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
leebrotherston
0
190
The Cynical Trust Model
leebrotherston
0
48
Corporation In The Middle
leebrotherston
0
110
Corporation In The Middle - SecTor
leebrotherston
0
29
Incident Response for Cheapskates - BSidesTO 2013
leebrotherston
0
57
Other Decks in Technology
See All in Technology
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
650
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
580
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
MapLibreとAmazon Location Service
dayjournal
1
160
生産性向上チームの紹介
cybozuinsideout
PRO
1
880
ServiceNow Knowledge Learning Rise up
manarobot
0
210
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
2
340
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.5k
現代CSSフレームワークの内部実装とその仕組み
poteboy
8
3.7k
Cracking the KubeCon CfP
inductor
2
250
JSON攻略法.pdf
miyakemito
8
5.1k
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
GitHub's CSS Performance
jonrohan
1025
450k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Designing with Data
zakiwarfel
96
4.8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Typedesign – Prime Four
hannesfritz
36
2.1k
Transcript
Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs
SSL TLS does what now? Lee Brotherston - @synackpse -
#TLSHugs
Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust
Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs
Current State of the Art Lee Brotherston - @synackpse -
#TLSHugs
- Ignore TLS - Break TLS - Embrace TLS Lee
Brotherston - @synackpse - #TLSHugs
Ignore TLS Lee Brotherston - @synackpse - #TLSHugs
IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)
34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs
permit any > any port 443 Universal Firewall Bypass Port!
Lee Brotherston - @synackpse - #TLSHugs
ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -
@synackpse - #TLSHugs
So, what then? Lee Brotherston - @synackpse - #TLSHugs
EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs
Blacklists Lee Brotherston - @synackpse - #TLSHugs
Break TLS Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs
Break The CA Model …. even more Lee Brotherston -
@synackpse - #TLSHugs
Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs
Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs
Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs
Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs
“Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs
Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston
- @synackpse - #TLSHugs
Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs
Malicious Insider Lee Brotherston - @synackpse - #TLSHugs
Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs
Goals Lee Brotherston - @synackpse - #TLSHugs
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs
“Perfection is the enemy of good enough” Lee Brotherston -
@synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Lee Brotherston - @synackpse - #TLSHugs
Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs
TLS Fingerprinting (I hear someone did a talk on that)
…. (it was me) Lee Brotherston - @synackpse - #TLSHugs
Spotting $bad Lee Brotherston - @synackpse - #TLSHugs
None
[semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs
Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs
None
Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs
Vorführeffekt
OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs
Server Responses Lee Brotherston - @synackpse - #TLSHugs
Certificates Lee Brotherston - @synackpse - #TLSHugs
Do You Even IDS, Bro? Lee Brotherston - @synackpse -
#TLSHugs
Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs
TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs
Request Request Response Proxy Server Client TLS Handshake TLS Handshake
Response Nope Lee Brotherston - @synackpse - #TLSHugs
Proxy Server Client TLS Request Response Request Response TLS Version
Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs
Subtractive only Lee Brotherston - @synackpse - #TLSHugs
The Compliances Lee Brotherston - @synackpse - #TLSHugs
A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs
None
None
None
None
Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate
Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓
One more thing… Lee Brotherston - @synackpse - #TLSHugs
8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee
Brotherston - @synackpse - #TLSHugs
Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:
gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs
Conclusion Lee Brotherston - @synackpse - #TLSHugs
Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>
TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs
Any Questions? Lee Brotherston - @synackpse - #TLSHugs