Tweet
Tweet

Slide 1

Slide 1 text

TLS Tools for Blue Teams Lee Brotherston - @synackpse

Slide 2

Slide 2 text

(no one cares) Who is this guy?

Slide 3

Slide 3 text

What are we talking about?

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

A few new things it got all GREASE’y

Slide 6

Slide 6 text

TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA

Slide 7

Slide 7 text

TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA TLS_DHE_PSK_WITH_AES_256_CCM TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_SRP_SHA_WITH_AES_256_CBC_SHA ¯\_(ツ)_/¯ TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_CCM (o_O) TLS_ECDHE_PSK_WITH_NULL_SHA TLS_FALLBACK_SCSV TLS_KRB5_WITH_RC4_128_SHA (⌐■_■)

Slide 8

Slide 8 text

FingerprinTLS …. and associated ancillary things

Slide 9

Slide 9 text

Deployment

Slide 10

Slide 10 text

Application Architecture

Slide 11

Slide 11 text

libpcap

Slide 12

Slide 12 text

libpcap Berkley Packet Filter (kernel)

Slide 13

Slide 13 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace)

Slide 14

Slide 14 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector

Slide 15

Slide 15 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector

Slide 16

Slide 16 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector

Slide 17

Slide 17 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector Teredo dissector

Slide 18

Slide 18 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector

Slide 19

Slide 19 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector

Slide 20

Slide 20 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector

Slide 21

Slide 21 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector Payload dissector

Slide 22

Slide 22 text

libpcap Berkley Packet Filter (kernel) Berkley Packet Filter (userspace) Layer 2 dissector Layer 3 dissector Teredo dissector 6in4 / 6RD dissector IPv4 dissector IPv6 dissector Payload dissector TLS dissector

Slide 23

Slide 23 text

TLS Dissection

Slide 24

Slide 24 text

Parse Fixed Fields

Slide 25

Slide 25 text

Parse Fixed Fields Discard Session Specific Data

Slide 26

Slide 26 text

Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size Fields

Slide 27

Slide 27 text

Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size Fields Filter Padding

Slide 28

Slide 28 text

Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size Fields Filter Padding Filter GREASE

Slide 29

Slide 29 text

Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size Fields Filter Padding Filter GREASE Parse Extensions

Slide 30

Slide 30 text

Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size Fields Filter Padding Filter GREASE Parse Extensions Lookup in DB

Slide 31

Slide 31 text

Parse Fixed Fields Discard Session Specific Data Parse Dynamic Size Fields Filter Padding Filter GREASE Parse Extensions Lookup in DB { "id": 416, "desc": "Firefox 57", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x1e", "ciphersuite": "0xc02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a", "compression_length": "1", "compression": "0x00", "extensions": "0x00000017ff01000a000b002300100005000d", "e_curves": "0x001d001700180019", "sig_alg": "0x04030503060308040805080604010501060102030201", "ec_point_fmt": "0x00", "grease": false }

Slide 32

Slide 32 text

Known unknowns

Slide 33

Slide 33 text

Configuration Usage: fingerprintls Options: -h This message -i Sniff packets from specified interface -p Read packets from specified pcap file -P Save packets to specified pcap file for unknown fingerprints -j Output JSON fingerprints -l Output logfile (JSON format) -d Show reasons for discarded packets (post BPF) -f Load the (binary) FingerPrint Database -u Drop privileges to specified username -D Do not discard padding

Slide 34

Slide 34 text

{ “format”: “JSON” } Vaguely parsable i/o

Slide 35

Slide 35 text

Some python at least it’s not Ruby :)

Slide 36

Slide 36 text

…and 1 proprietary file because Lee sucks!

Slide 37

Slide 37 text

But it’s C

Slide 38

Slide 38 text

Battle tested Single process, 471days on the internet, and counting

Slide 39

Slide 39 text

Demo Time

Slide 40

Slide 40 text

TLSProxy ….a proxy….. for TLS…..

Slide 41

Slide 41 text

Client Server

Slide 42

Slide 42 text

Client Server TLS Handshake

Slide 43

Slide 43 text

Client Server TLS Handshake Request

Slide 44

Slide 44 text

Client Server TLS Handshake TLS Handshake Request

Slide 45

Slide 45 text

Client Server TLS Handshake TLS Handshake Request

Slide 46

Slide 46 text

Client Server Request Response TLS Handshake TLS Handshake Request

Slide 47

Slide 47 text

Client Server Request Response TLS Handshake TLS Handshake Request

Slide 48

Slide 48 text

Client Server Request Response TLS Handshake TLS Handshake Request Response

Slide 49

Slide 49 text

Client Server Request Response TLS Handshake TLS Handshake Request Response ClearText

Slide 50

Slide 50 text

Client Server

Slide 51

Slide 51 text

Client Server Actual Certificate Authority

Slide 52

Slide 52 text

Client Server Actual Certificate Authority My Corp CA :)

Slide 53

Slide 53 text

Client Server Actual Certificate Authority My Corp CA :) Nope

Slide 54

Slide 54 text

TLS Handshake Response Request Response Client Server

Slide 55

Slide 55 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK

Slide 56

Slide 56 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello

Slide 57

Slide 57 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello

Slide 58

Slide 58 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello

Slide 59

Slide 59 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello

Slide 60

Slide 60 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello

Slide 61

Slide 61 text

Real Server Client TLSProxy TCP: SYN TCP: SYN/ACK TCP: ACK Client Hello

Slide 62

Slide 62 text

Deployment …

Slide 63

Slide 63 text

Application Architecture

Slide 64

Slide 64 text

Listening socket

Slide 65

Slide 65 text

Listening socket connect goroutine()

Slide 66

Slide 66 text

Listening socket connect goroutine() Sorta threading forking something, sorta not…

Slide 67

Slide 67 text

Listening socket connect goroutine() Packet Parser Sorta threading forking something, sorta not…

Slide 68

Slide 68 text

Listening socket connect goroutine() Packet Parser Sorta threading forking something, sorta not…

Slide 69

Slide 69 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy Sorta threading forking something, sorta not…

Slide 70

Slide 70 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect Sorta threading forking something, sorta not…

Slide 71

Slide 71 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect SOCKS Proxy Sorta threading forking something, sorta not…

Slide 72

Slide 72 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect SOCKS Proxy Sorta threading forking something, sorta not…

Slide 73

Slide 73 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect SOCKS Proxy Payload dissector Sorta threading forking something, sorta not…

Slide 74

Slide 74 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect SOCKS Proxy Payload dissector TLS dissector Sorta threading forking something, sorta not…

Slide 75

Slide 75 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect SOCKS Proxy Payload dissector TLS dissector Lookup Rules Sorta threading forking something, sorta not…

Slide 76

Slide 76 text

Listening socket connect goroutine() Packet Parser TLS Transparent Proxy HTTP Connect SOCKS Proxy Payload dissector TLS dissector Lookup Rules Connect & Forward Sorta threading forking something, sorta not…

Slide 77

Slide 77 text

Yup, it’s Go

Slide 78

Slide 78 text

Configuration Usage: tlsProxy -blocklist string the blocklist file (default "./blocklist") -config string location of config file (default "./config.json") -fingerprint string the fingerprint file (default "./tlsproxy.json") -listen string address for proxy to listen to (default "127.0.0.1:8080")

Slide 79

Slide 79 text

Demo Time

Slide 80

Slide 80 text

Next Steps.. Certificate verification Certificate based blocking TLS Parameter blocking (:wave: PCI-DSS!) Fingerprint based blocking supported_groups

Slide 81

Slide 81 text

Call to action! Stop breaking TLS, start giving TLS hugs! … also stop saying SSL

Slide 82

Slide 82 text

Some stuff https://github.com/LeeBrotherston/tls-fingerprinting https://github.com/LeeBrotherston/tlsProxy @synackpse @fingerprinTLS https://blog.squarelemon.com/ https://squarelemon.com/tls-fingerprinting/ https://www.youtube.com/watch?v=XX0FRAy2Mec https://player.vimeo.com/video/188841319

Slide 83

Slide 83 text

Any questions? (may not have answers)