Stealthier Attacks and Smarter Defending with TLS Fingerprinting

Transcript

1. Stealthier Attacks & Smarter Defending with TLS Fingerprinting Lee Brotherston

   @synackpse #TLSFP

2. … A “Zero Math, (almost) Zero Crypto”, TLS Talk Lee

   Brotherston @synackpse #TLSFP

3. TLS PRIMER ….. (Shhhh…. it’s not a cryptographic algorithm)

4. None

5. Client Kittens…….. Unicorn Tears Pixie Dust TCP: SYN Server TCP:

   SYN/ACK TCP: ACK

6. Client Hello Server Client Server Hello Client Key Exchange Change

   Cipher Spec Change Cipher Spec Encrypted Data

7. Fingerprints

8. Why Clients?

9. SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL,

   MD5 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = TLSv1 ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

10. Origin Story

11. None
12. None
13. None
14. None
15. None
16. None
17. None

18. Expanding…

19. Content Type Version Length Handshake Type Length Version Random Session

    ID Length Session ID Cipher Suites Length Cipher Suites Compression Methods Length Compression Methods Extensions

20. Content Type Version Length Handshake Type Length Version Random Session

    ID Length Session ID Cipher Suites Length Cipher Suites Compression Methods Length Compression Methods Extensions

21. Extensions

22. Significant, key - value order is!

23. Creating a FingerPrint

24. { "id": 0, "desc": "Dropbox (Win 8.1)”, "record_tls_version": “0x0301", "tls_version":

    “0x0301", "ciphersuite_length": “0x0010", "ciphersuite": "0xC014 0xC013 0xC011 0x0039 0x0033 0x0035 0x002F 0x00FF", "compression_length": “1", "compression": “0x00", "extensions": "0x0000 0x0023”, "server_name": “client-lb.dropbox.com" }

25. Deobfuscation

26. ssh -p443 user@myhost (don’t pretend you don’t)

27. Any Port ✓ Stateless ✓ Asymmetric ✓ Low Cost ✓

28. tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and ((tcp[tcp[12]/16*4+9]=3) or (tcp[tcp[12]/16*4+9]=0)) and ((tcp[tcp[12]/16*4+1]=3) or

    (tcp[tcp[12]/16*4+1]=0))

29. tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)

30. Storage & Retention

31. Client to Server Server to Client False Positive Unfiltered 9547378

    3776313 99.226% Handshake & Client Hello Filter 51766 59 2.859% 1st Byte TLS Version 51677 3 0.005% 1st Byte TLS Version (Record) 51677 0 0.000%

32. Moving on…..

33. Own Fingerprint Modification

34. Collisions? Car & Photo: @snipeyhead

35. Yes… ok no…. sort of….. a bit…. occasionally

36. Defender Level 1: Detection

37. SRC DEST 192.168.1.37:3847 66.185.84.30:443 192.168.1.37:44870 74.125.226.150:443 192.168.1.49:36469 38.229.70.22:6667 192.168.1.122:51593 54.204.30.235:22

    10.54.107.19:64926 194.54.103.65:22 10.54.103.99:3010 54.204.30.201:443 10.54.103.76:3013 64.136.25.171:80 10.54.103.66:3847 192.168.10.64:25 10.54.103.33:3009 54.204.30.11:443 10.54.103.99:3010 192.168.10.10:443

38. Attributon: Alex Pinto MLSec

39. $ sudo tcpdump -Xni eth0 host desktop 16:29:39.149010 IP 10.54.103.76.3010

    > 54.204.30.201.443: Flags [P.], seq 826:991, ack 990, win 64, options [nop,nop,TS val 1123747053 ecr 530699601], length 165 0x0000: 4500 00d9 62a9 4000 3306 586b 36af 939e [email protected]... 0x0010: c0a8 0115 01bb c04d 49e3 2eec fb96 5e29 .......MI.....^) 0x0020: 8018 0040 ff69 0000 0101 080a 42fb 04ed [email protected]... 0x0030: 1fa1 d551 1703 0300 a008 7a4c d2cf 56e3 ...Q......zL..V. 0x0040: b83a b448 3e23 accd 3495 a547 202a e88a .:.H>#..4..G.*.. 0x0050: f05d 9f25 121a 9e1e 4944 4431 f493 0b4d .].%....IDD1...M 0x0060: e5fc c83c a77c 0cf6 6adb 96d6 7b05 481d ...<.|..j...{.H. 0x0070: 84d8 9049 952d d524 6643 00aa ccc7 48d1 ...I.-.$fC....H. 0x0080: 31d4 d033 d523 39e7 dbcd 5b8f 2204 da9d 1..3.#9...[."... 0x0090: 66fb ee3d b9c3 2bb2 5649 bdac 240d 4942 f..=..+.VI..$.IB 0x00a0: f588 e44a 44da 64cd f35c a73b 1bdf d9ac ...JD.d..\.;.... 0x00b0: 1bad dfc1 4c75 253d dcf0 42f9 452b 1fea ....Lu%=..B.E+.. 0x00c0: d5d9 384b 9d63 804e ccfb 2f08 8404 035d ..8K.c.N../....] 0x00d0: 269b 0a99 7801 970c 9a &...x....

40. Probably Browsing ¯\_(ツ)_/¯

41. SRC DEST 192.168.1.37:3847 66.185.84.30:443 192.168.1.37:44870 74.125.226.150:443 192.168.1.49:36469 38.229.70.22:6667 192.168.1.122:51593 54.204.30.235:22

    10.54.107.19:64926 194.54.103.65:22 10.54.103.99:3010 54.204.30.201:443 10.54.103.76:3013 64.136.25.171:80 10.54.103.66:3847 192.168.10.64:25 10.54.103.33:3009 54.204.30.11:443 10.54.103.99:3010 192.168.10.10:443

42. SRC DEST 192.168.1.37:3847 www.google.com:443 192.168.1.37:44870 Unknown:443 192.168.1.49:36469 FreeNode IRC:6667 192.168.1.122:51593

    AWS Something:22 10.54.107.19:64926 Unknown:22 10.54.103.99:3010 AWS Something:443 10.54.103.76:3013 Unknown:80 10.54.103.66:3847 Internal SMTP:25 10.54.103.33:3009 AWS Something:443 10.54.103.99:3010 Sharepoint:443

43. SRC DEST 192.168.1.37:3847 www.google.com:443 192.168.1.37:44870 Unknown:443 192.168.1.49:36469 FreeNode IRC:6667 192.168.1.122:51593

    AWS Something:22 10.54.107.19:64926 Unknown:22 10.54.103.99:3010 AWS Something:443 10.54.103.76:3013 Unknown:80 10.54.103.66:3847 Internal SMTP:25 10.54.103.33:3009 AWS Something:443 10.54.103.99:3010 Sharepoint:443 mitmproxy Tor

44. “Anomaly Detection”

45. Not Just Hax0ring

46. None

47. Attacker Level 1: Stealth MiTM

48. ARP Cache Poisoning DNS Spoofing BGP Hijacking Hacked Proxy Malicious

    Tor Node Local Agent Malicious Provider Rogue DHCP

49. TLS Attacks

50. None
51. None
52. None

53. Real Server Client Evil Server TCP: SYN TCP: SYN/ACK TCP:

    ACK Client Hello Hacker
54. None
55. None

56. Defender Level 2: Fingerprint Defined Routing

57. Real Server Client Defence Honey Pot TCP: SYN TCP: SYN/ACK

    TCP: ACK Client Hello

58. Attacker Level 2: AntiForensics

59. Enumerated Targets ✓ Prepared Exploits ✓ Delivered Stager/Phish ✓ Awaiting

    Callback …

60. Meanwhile… wget --user-agent="Mozilla/4.0 (Windows; MSIE 7.0; Windows NT 5.1; SV1;

    .NET CLR 2.0.50727)" https://evil_url.com/thing/

61. “Legit” Server Client Attack Server TCP: SYN TCP: SYN/ACK TCP:

    ACK Client Hello IE7 wget Hacker

62. Defender Level 3: Fingerprint Canaries

63. Homogeneous Platforms

64. End Of Level Boss: Nation State Attackers (zomg!)

65. Honorable Mention: HoneyPots

66. Tools

67. FingerprinTLS $ sudo ./ssl_fingerprint/fingerprintls/fingerprintls -i en0 -s Password: Using interface:

    en0 Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56274 to 104.244.43.39:443 Servername: "pbs.twimg.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56281 to 167.114.152.100:443 Servername: "www.i6l66pzauglk2kqx2b.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56280 to 37.221.162.226:9001 Servername: “www.jy27vswlheykb2dptady.com" Fingerprint Matched: "mutt (tested: 1.5.23 - OS X)" TLSv1.2 connection from 192.168.1.5:56316 to 74.125.69.108:993 Servername: "Not Set” Fingerprint Matched: "ThunderBird (v38.0.1 OS X)" TLSv1.2 connection from 192.168.1.5:56394 to 74.125.69.108:993 Servername: “imap.gmail.com” Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56233 to 104.244.43.199:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56236 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56242 to 184.25.66.217:443 Servername: "itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56243 to 23.195.218.30:443 Servername: "su.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56246 to 23.21.97.18:443 Servername: "vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56247 to 184.25.66.217:443 Servername: "init.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56248 to 104.244.43.229:443 Servername: "v.cdn.vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56250 to 17.173.66.136:443 Servername: "xp.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56253 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56259 to 23.195.218.30:443 Servername: "se.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56267 to 104.244.43.167:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12 or 600.1.4" TLSv1.2 connection from 192.168.1.5:56273 to 104.244.43.7:443 Servername: "pbs.twimg.com"

68. { 0, "Shodan", 0x0301, 0x0302, 0x0010, {0x00,0x14,0x00,0x11,0x00,0x19,0x00,0x08, 0x00,0x06,0x00,0x17,0x00,0x03,0x00,0xFF}, 1, {0x00},

    4, {0x00,0x23,0x00,0x0F} , 0 , {} , 0 , {} , 0 , {} } Fingerprintout

69. alert tcp any any -> any any ( msg:"ruby script

    (tested: 2.0.0p481)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "| 01|"; distance: 1; rawbytes; content: "|03 01|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 24|"; distance: 0; rawbytes; content: "|00 39 00 38 00 35 00 33 00 32 00 2F 00 16 00 13 00 0A 00 9A 00 99 00 96 00 05 00 04 00 15 00 12 00 09 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; byte_jump: 2,0,relative; content: "|00 23|"; rawbytes; distance: 0; sid:1000169; rev:1;) Fingerprintout

70. $ ./parse_fingerprint.py ../json/combined.json xkeyscore # Rule for "Mozilla/4.0 (compatible; MSIE

    6.0 or MSIE 7.0)" “\x16\x03\x01.*\x01.*\x03\x01.* \x00\x16\x00\x04\x00\x05\x00\x0\x00\x09\x00\x64\x00\x62\x00 \x03\x00\x06\x00\x13\x00\x12\x00\x63.*\x00" Fingerprintout

71. $ ./parse_fingerprint.py ./combined.json cleanse | grep '#' # Oh no,

    2 signatures match: Java (tested: v8 Update 60) - Archive.org bot # Oh no, 2 signatures match: Archive.org bot - Java (tested: v8 Update 60) Fingerprintout

72. (╯°□°）╯︵ ┻━┻

73. None

74. {"id": 0, "desc": "MS Word / MS WebDav", "record_tls_version": "

    0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x0014 ", "ciphersuite": "0xC014 0xC013 0xC00A 0xC009 0x0035 0x002F 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0xFF01", "e_curves": " 0x0019 0x0017 0x0018 ", "sig_alg": " ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Internet Explorer 11.0.9600.17959", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0030 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x003D 0x003C 0x0035 0x002F 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x0005 0x000A 0x000B 0x000D 0xFF01", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0601 0x0603 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Pidgin (tested 2.10.11)", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0022 ", "ciphersuite": "0xC02B 0xC02F 0xC00A 0xC009 0xC013 0xC027 0xC014 0xC007 0xC011 0x009E 0x0033 0x0032 0x0067 0x0039 0x006B 0x002F 0x0035", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0xFF01 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0402 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows Java Plugin (tested: v8 Update 60)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows 8.x Apps Store thing (unconfirmed)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0034 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013 0x0005 0x0004", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0x000D 0x0023 0xFF01", "e_curves": " 0x0017 0x0018 ", "sig_alg": " 0x0401 0x0501 0x0601 0x0201 0x0403 0x0503 0x0603 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x00AE ", "ciphersuite": "0xC030 0xC02C 0xC028 0xC024 0xC014 0xC00A 0x00A3 0x009F 0x006B 0x006A 0x0039 0x0038 0x0088 0x0087 0xC019 0x00A7 0x006D 0x003A 0x0089 0xC032 0xC02E 0xC02A 0xC026 0xC00F 0xC005 0x009D 0x003D 0x0035 0x0084 0xC012 0xC008 0x0016 0x0013 0xC017 0x001B 0xC00D 0xC003 0x000A 0xC02F 0xC02B 0xC027 0xC023 0xC013 0xC009 0x00A2 0x009E 0x0067 0x0040 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC018 0x00A6 0x006C 0x0034 0x009B 0x0046 0xC031 0xC02D 0xC029 0xC025 0xC00E 0xC004 0x009C 0x003C 0x002F 0x0096 0x0041 0xC011 0xC007 0xC016 0x0018 0xC00C 0xC002 0x0005 0x0004 0x0014 0x0011 0x0019 0x0008 0x0006 0x0017 0x0003 0x00FF", "compression_length": "2 ", "compression": "0x01 0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 0x000D 0x000F", "e_curves": " 0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": " 0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 0x0101 ", "ec_point_fmt": " 0x00 0x01 0x02 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0064 ", "ciphersuite": "0xC024 0xC028 0x003D 0xC026 0xC02A 0x006B 0x006A 0xC00A 0xC014 0x0035 0xC005 0xC00F 0x0039 0x0038 0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02C 0xC02B 0xC030 0x009D 0xC02E 0xC032 0x009F 0x00A3 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Archive.org bot", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "OpenSSL s-client with -tls1 flag", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x002E ", "ciphersuite": "0x0039 0x0038 0x0035 0x0016 0x0013 0x000A 0x0033 0x0032 0x002F 0x009A 0x0099 0x0096 0x0005 0x0004 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0023", "e_curves": " ", "sig_alg": " ", "ec_point_fmt": " ", "server": "" } {"id": 0, "desc": "GNUTLS Commandline", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0084 ", "ciphersuite": "0xC02B 0xC02C 0xC086 0xC087 0xC009 0xC023 0xC00A 0xC024 0xC072 0xC073 0xC008 0xC007 0xC02F 0xC030 0xC08A 0xC08B 0xC013 0xC027 0xC014 0xC028 0xC076 0xC077 0xC012 0xC011 0x009C 0x009D 0xC07A 0xC07B 0x002F 0x003C 0x0035 0x003D 0x0041 0x00BA 0x0084 0x00C0 0x000A 0x0005 0x0004 0x009E 0x009F 0xC07C 0xC07D 0x0033 0x0067 0x0039 0x006B 0x0045 0x00BE 0x0088 0x00C4 0x0016 0x00A2 0x00A3 0xC080 0xC081 0x0032 0x0040 0x0038 0x006A 0x0044 0x00BD 0x0087 0x00C3 0x0013 0x0066", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0005 0x0000 0xFF01 0x0023 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 0x0015 0x0013 ", "sig_alg": " 0x0401 0x0402 0x0403 0x0501 0x0503 0x0601 0x0603 0x0301 0x0302 0x0303 0x0201 FingerPrint DB

75. Demo?

76. What’s Next?

77. https://github.com/LeeBrotherston/tls-fingerprinting http://www.slideshare.net/leebrotherston @synackpse @FingerprinTLS #TLSFP https://blog.squarelemon.com/tls-fingerprinting/

78. Random Observations

79. Thank you! Lee Brotherston @synackpse #TLSFP