Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS Tools for Blue Teams

Lee Brotherston
November 14, 2017
Technology
0
150

TLS Tools for Blue Teams

TLS can cause problems for security teams, breaking TLS or ignoring TLS are common modus operandi, both are flawed and expose organizations to weaknesses. This session focusses on the management of TLS from a blue team perspective, without either ignoring or breaking TLS implementations.

We will discuss specific tooling, FingerPrinTLS and TLSProxy will be the primary focus, how to configure and deploy them in the real world, application architecture, considerations and demonstrations.

Lee Brotherston

November 14, 2017
Tweet

More Decks by Lee Brotherston

See All by Lee Brotherston
Blue Team TLS Hugs
leebrotherston
0
340
Abusing TLS For Defensive Wins
leebrotherston
2
1.1k
TLS Fingerprinting SecTorCA Edition
leebrotherston
0
170
Stealthier Attacks and Smarter Defending with TLS Fingerprinting
leebrotherston
0
210
The Cynical Trust Model
leebrotherston
0
52
Corporation In The Middle
leebrotherston
0
120
Corporation In The Middle - SecTor
leebrotherston
0
37
Incident Response for Cheapskates - BSidesTO 2013
leebrotherston
0
60

Other Decks in Technology

See All in Technology
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
Taming you application's environments
salaboy
0
190
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
強いチームと開発生産性
onk
PRO
34
11k
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
110
The Role of Developer Relations in AI Product Success.
giftojabu1
0
120

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Producing Creativity
orderedlist
PRO
341
39k
Rails Girls Zürich Keynote
gr2m
94
13k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
A Philosophy of Restraint
colly
203
16k
Practical Orchestrator
shlominoach
186
10k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Become a Pro
speakerdeck
PRO
25
5k

Transcript

  1. TLS Tools for Blue Teams Lee Brotherston - @synackpse

  2. (no one cares) Who is this guy?

  3. What are we talking about?

  4. None

  5. A few new things it got all GREASE’y

  6. TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA

  7. TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256

    TLS_SRP_SHA_WITH_AES_256_CBC_SHA ¯\_(ツ)_/¯ TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM (o_O) TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA (⌐▪_▪)

  8. FingerprinTLS …. and associated ancillary things

  9. Deployment

  10. Application Architecture

  11. libpcap

  12. libpcap Berkley Packet Filter (kernel)

  13. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace)

  14. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector

  15. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector

  16. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector

  17. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector

  18. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector

  19. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector

  20. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector

  21. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector Payload dissector

  22. libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer

    2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector Payload dissector TLS dissector

  23. TLS Dissection

  24. Parse Fixed Fields

  25. Parse Fixed Fields Discard Session Specific Data

  26. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields

  27. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding

  28. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE

  29. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE Parse Extensions

  30. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE Parse Extensions Lookup in DB

  31. Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size

    Fields Filter Padding Filter GREASE Parse Extensions Lookup in DB { "id": 416, "desc": "Firefox 57", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x1e", "ciphersuite": "0xc02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a", "compression_length": "1", "compression": "0x00", "extensions": "0x00000017ff01000a000b002300100005000d", "e_curves": "0x001d001700180019", "sig_alg": "0x04030503060308040805080604010501060102030201", "ec_point_fmt": "0x00", "grease": false }

  32. Known unknowns

  33. Configuration Usage: fingerprintls <options> Options: -h This message -i <interface>

    Sniff packets from specified interface -p <pcap file> Read packets from specified pcap file -P <pcap file> Save packets to specified pcap file for unknown fingerprints -j <json file> Output JSON fingerprints -l <log file> Output logfile (JSON format) -d Show reasons for discarded packets (post BPF) -f <fpdb> Load the (binary) FingerPrint Database -u <uid> Drop privileges to specified username -D Do not discard padding

  34. { “format”: “JSON” } Vaguely parsable i/o

  35. Some python at least it’s not Ruby :)

  36. …and 1 proprietary file because Lee sucks!

  37. But it’s C

  38. Battle tested Single process, 471days on the internet, and counting

  39. Demo Time

  40. TLSProxy ….a proxy….. for TLS…..

  41. Client Server

  42. Client Server TLS Handshake

  43. Client Server TLS Handshake Request

  44. Client Server TLS Handshake TLS Handshake Request

  45. Client Server TLS Handshake TLS Handshake Request

  46. Client Server Request Response TLS Handshake TLS Handshake Request

  47. Client Server Request Response TLS Handshake TLS Handshake Request

  48. Client Server Request Response TLS Handshake TLS Handshake Request Response

  49. Client Server Request Response TLS Handshake TLS Handshake Request Response

    ClearText

  50. Client Server

  51. Client Server Actual Certificate Authority

  52. Client Server Actual Certificate Authority My Corp CA :)

  53. Client Server Actual Certificate Authority My Corp CA :) Nope

  54. TLS Handshake Response Request Response Client Server

  55. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

  56. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

    Client Hello

  57. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

    Client Hello

  58. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

    Client Hello

  59. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

    Client Hello

  60. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

    Client Hello

  61. Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

    Client Hello

  62. Deployment …

  63. Application Architecture

  64. Listening socket

  65. Listening socket connect goroutine()

  66. Listening socket connect goroutine() Sorta threading forking something, sorta not…

  67. Listening socket connect goroutine() Packet Parser Sorta threading forking something,

    sorta not…

  68. Listening socket connect goroutine() Packet Parser Sorta threading forking something,

    sorta not…

  69. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy Sorta

    threading forking something, sorta not…

  70. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect Sorta threading forking something, sorta not…

  71. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Sorta threading forking something, sorta not…

  72. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Sorta threading forking something, sorta not…

  73. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector Sorta threading forking something, sorta not…

  74. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector TLS dissector Sorta threading forking something, sorta not…

  75. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector TLS dissector Lookup Rules Sorta threading forking something, sorta not…

  76. Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP

    Connect SOCKS Proxy Payload dissector TLS dissector Lookup Rules Connect & Forward Sorta threading forking something, sorta not…

  77. Yup, it’s Go

  78. Configuration Usage: tlsProxy <options> -blocklist string the blocklist file (default

    "./blocklist") -config string location of config file (default "./config.json") -fingerprint string the fingerprint file (default "./tlsproxy.json") -listen string address for proxy to listen to (default "127.0.0.1:8080")

  79. Demo Time

  80. Next Steps.. Certificate verification Certificate based blocking TLS Parameter blocking

    (:wave: PCI-DSS!) Fingerprint based blocking supported_groups

  81. Call to action! Stop breaking TLS, start giving TLS hugs!

    … also stop saying SSL

  82. Some stuff https://github.com/LeeBrotherston/tls-fingerprinting https://github.com/LeeBrotherston/tlsProxy @synackpse @fingerprinTLS https://blog.squarelemon.com/ https://squarelemon.com/tls-fingerprinting/ https://www.youtube.com/watch?v=XX0FRAy2Mec https://player.vimeo.com/video/188841319

  83. Any questions? (may not have answers)