Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS Tools for Blue Teams

TLS Tools for Blue Teams

TLS can cause problems for security teams, breaking TLS or ignoring TLS are common modus operandi, both are flawed and expose organizations to weaknesses. This session focusses on the management of TLS from a blue team perspective, without either ignoring or breaking TLS implementations.

We will discuss specific tooling, FingerPrinTLS and TLSProxy will be the primary focus, how to configure and deploy them in the real world, application architecture, considerations and demonstrations.

Lee Brotherston

November 14, 2017
Tweet

More Decks by Lee Brotherston

Other Decks in Technology

Transcript

  1. TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256

    TLS_SRP_SHA_WITH_AES_256_CBC_SHA ¯\_(ツ)_/¯ TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM (o_O) TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA (⌐▪_▪)
  2. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector
  3. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector
  4. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector
  5. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector Payload dissector
  6. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector Payload dissector TLS dissector
  7. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE Parse Extensions
  8. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE Parse Extensions Lookup in DB
  9. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE Parse Extensions Lookup in DB { "id": 416, "desc": "Firefox 57", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x1e", "ciphersuite": "0xc02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a", "compression_length": "1", "compression": "0x00", "extensions": "0x00000017ff01000a000b002300100005000d", "e_curves": "0x001d001700180019", "sig_alg": "0x04030503060308040805080604010501060102030201", "ec_point_fmt": "0x00", "grease": false }
  10. Configuration Usage: fingerprintls <options> Options: -h This message -i <interface>

    Sniff packets from specified interface -p <pcap file> Read packets from specified pcap file -P <pcap file> Save packets to specified pcap file for unknown fingerprints -j <json file> Output JSON fingerprints -l <log file> Output logfile (JSON format) -d Show reasons for discarded packets (post BPF) -f <fpdb> Load the (binary) FingerPrint Database -u <uid> Drop privileges to specified username -D Do not discard padding
  11. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect Sorta threading forking something, sorta not…
  12. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Sorta threading forking something, sorta not…
  13. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Sorta threading forking something, sorta not…
  14. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector Sorta threading forking something, sorta not…
  15. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector TLS dissector Sorta threading forking something, sorta not…
  16. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector TLS dissector Lookup Rules Sorta threading forking something, sorta not…
  17. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector TLS dissector Lookup Rules Connect & Forward Sorta threading forking something, sorta not…
  18. Configuration Usage: tlsProxy <options> -blocklist string the blocklist file (default

    "./blocklist") -config string location of config file (default "./config.json") -fingerprint string the fingerprint file (default "./tlsproxy.json") -listen string address for proxy to listen to (default "127.0.0.1:8080")
  19. Next Steps.. Certificate verification Certificate based blocking TLS Parameter blocking

    (:wave: PCI-DSS!) Fingerprint based blocking supported_groups