TLS Fingerprinting - Stealthier Attacking & Smarter Defending - DerbyCon

Stealthier Attacks & Smarter Defending

with TLS FingerprintingLee Brotherston

@synackpse #TLSFP

… A “Zero Math, (almost) Zero Crypto”,

TLS TalkLee Brotherston

@synackpse #TLSFP

TLS PRIMER ….. (Shhhh…. it’s not a cryptographic

algorithm)

Client

Kittens……..

Unicorn Tears

Pixie Dust

TCP: SYN

Server

TCP: SYN/ACK

TCP: ACK

Client Hello

ServerClient

Server Hello

Client Key Exchange

Change Cipher Spec

Change Cipher Spec

Encrypted Data

Fingerprints

Why Clients?

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on

smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = TLSv1

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Origin Story

Expanding…

Content Type Version Length

Handshake Type Length Version

RandomSession ID

LengthSession ID

Cipher Suites Length

Cipher SuitesCompression

Methods Length Compression

MethodsExtensions

Content Type Version Length

Handshake Type Length Version

RandomSession ID

LengthSession ID

Cipher Suites Length

Cipher SuitesCompression

Methods Length Compression

MethodsExtensions

Extensions

Significant, key - value

order is!

Creating a FingerPrint

{ "id": 0, "desc": "Dropbox (Win 8.1)”, "record_tls_version": “0x0301", "tls_version": “0x0301", "ciphersuite_length": “0x0010", "ciphersuite": "0xC014 0xC013 0xC011 0x0039 0x0033 0x0035 0x002F 0x00FF", "compression_length": “1", "compression": “0x00", "extensions": "0x0000 0x0023”, "server_name": “client-lb.dropbox.com" }

Deobfuscation

ssh -p443 user@myhost

(don’t pretend you don’t)

Any Port ✓ Stateless ✓

Asymmetric ✓ Low Cost ✓

tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1)

and ((tcp[tcp[12]/16*4+9]=3) or (tcp[tcp[12]/16*4+9]=0))

and ((tcp[tcp[12]/16*4+1]=3) or (tcp[tcp[12]/16*4+1]=0))

tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)

Storage & Retention

Client toServer

Server toClient

FalsePositive

Unfiltered 9547378 3776313 99.226%

Handshake & Client Hello Filter 51766 59 2.859%

1st Byte TLS Version 51677 3 0.005%

1st Byte TLS Version (Record) 51677 0 0.000%

Moving on…..

Own Fingerprint Modification

Collisions?Car & Photo: @snipeyhead

Yes… ok no…. sort of….. a bit….

occasionally

Defender Level 1: Detection

SRC DEST192.168.1.37:3847 66.185.84.30:443192.168.1.37:44870 74.125.226.150:443192.168.1.49:36469 38.229.70.22:6667192.168.1.122:51593 54.204.30.235:2210.54.107.19:64926 194.54.103.65:2210.54.103.99:3010 54.204.30.201:44310.54.103.76:3013 64.136.25.171:8010.54.103.66:3847 192.168.10.64:2510.54.103.33:3009 54.204.30.11:44310.54.103.99:3010 192.168.10.10:443

Attributon: Alex PintoMLSec

$ sudo tcpdump -Xni eth0 host desktop

16:29:39.149010 IP 10.54.103.76.3010 > 54.204.30.201.443: Flags [P.], seq 826:991, ack 990, win 64, options [nop,nop,TS val 1123747053 ecr 530699601], length 165 0x0000: 4500 00d9 62a9 4000 3306 586b 36af 939e [email protected]... 0x0010: c0a8 0115 01bb c04d 49e3 2eec fb96 5e29 .......MI.....^) 0x0020: 8018 0040 ff69 0000 0101 080a 42fb 04ed [email protected]... 0x0030: 1fa1 d551 1703 0300 a008 7a4c d2cf 56e3 ...Q......zL..V. 0x0040: b83a b448 3e23 accd 3495 a547 202a e88a .:.H>#..4..G.*.. 0x0050: f05d 9f25 121a 9e1e 4944 4431 f493 0b4d .].%....IDD1...M 0x0060: e5fc c83c a77c 0cf6 6adb 96d6 7b05 481d ...<.|..j...{.H. 0x0070: 84d8 9049 952d d524 6643 00aa ccc7 48d1 ...I.-.$fC....H. 0x0080: 31d4 d033 d523 39e7 dbcd 5b8f 2204 da9d 1..3.#9...[."... 0x0090: 66fb ee3d b9c3 2bb2 5649 bdac 240d 4942 f..=..+.VI..$.IB 0x00a0: f588 e44a 44da 64cd f35c a73b 1bdf d9ac ...JD.d..\.;.... 0x00b0: 1bad dfc1 4c75 253d dcf0 42f9 452b 1fea ....Lu%=..B.E+.. 0x00c0: d5d9 384b 9d63 804e ccfb 2f08 8404 035d ..8K.c.N../....] 0x00d0: 269b 0a99 7801 970c 9a &...x....

Probably Browsing ¯\_(ツ)_/¯

SRC DEST192.168.1.37:3847 66.185.84.30:443192.168.1.37:44870 74.125.226.150:443192.168.1.49:36469 38.229.70.22:6667192.168.1.122:51593 54.204.30.235:2210.54.107.19:64926 194.54.103.65:2210.54.103.99:3010 54.204.30.201:44310.54.103.76:3013 64.136.25.171:8010.54.103.66:3847 192.168.10.64:2510.54.103.33:3009 54.204.30.11:44310.54.103.99:3010 192.168.10.10:443

SRC DEST192.168.1.37:3847 www.google.com:443192.168.1.37:44870 Unknown:443192.168.1.49:36469 FreeNode IRC:6667192.168.1.122:51593 AWS Something:2210.54.107.19:64926 Unknown:2210.54.103.99:3010 AWS Something:44310.54.103.76:3013 Unknown:8010.54.103.66:3847 Internal SMTP:2510.54.103.33:3009 AWS Something:44310.54.103.99:3010 Sharepoint:443

SRC DEST192.168.1.37:3847 www.google.com:443192.168.1.37:44870 Unknown:443192.168.1.49:36469 FreeNode IRC:6667192.168.1.122:51593 AWS Something:2210.54.107.19:64926 Unknown:2210.54.103.99:3010 AWS Something:44310.54.103.76:3013 Unknown:8010.54.103.66:3847 Internal SMTP:2510.54.103.33:3009 AWS Something:44310.54.103.99:3010 Sharepoint:443mitmproxy

Tor

“Anomaly Detection”

Not Just Hax0ring

Attacker Level 1: Stealth MiTM

ARP Cache Poisoning

DNS Spoofing

BGP HijackingHacked Proxy

Malicious Tor Node

Local AgentMalic

ious

Prov

ider

Rogue DHCP

TLS Attacks

RealServer

Client

EvilServer

TCP: SYN

TCP: SYN/ACK

TCP: ACK

Client HelloHacker

Defender Level 2: Fingerprint

Defined Routing

RealServer

Client Defence

HoneyPot

TCP: SYN

TCP: SYN/ACK

TCP: ACK

Client Hello

Attacker Level 2: AntiForensics

Enumerated Targets ✓ Prepared Exploits ✓

Delivered Stager/Phish ✓ Awaiting Callback …

Meanwhile… wget --user-agent="Mozilla/4.0

(Windows; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

https://evil_url.com/thing/

“Legit”Server

Client

AttackServer

TCP: SYN

TCP: SYN/ACK

TCP: ACK

Client Hello

IE7

wget

Hacker

Defender Level 3: Fingerprint

Canaries

Homogeneous Platforms

End Of Level Boss: Nation State

Attackers (zomg!)

Honorable Mention:

HoneyPots

Tools

FingerprinTLS$ sudo ./ssl_fingerprint/fingerprintls/fingerprintls -i en0 -s Password: Using interface: en0 Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56274 to 104.244.43.39:443 Servername: "pbs.twimg.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56281 to 167.114.152.100:443 Servername: "www.i6l66pzauglk2kqx2b.com" Fingerprint Matched: "Tor uplink" TLSv1.2 connection from 192.168.1.5:56280 to 37.221.162.226:9001 Servername: “www.jy27vswlheykb2dptady.com" Fingerprint Matched: "mutt (tested: 1.5.23 - OS X)" TLSv1.2 connection from 192.168.1.5:56316 to 74.125.69.108:993 Servername: "Not Set” Fingerprint Matched: "ThunderBird (v38.0.1 OS X)" TLSv1.2 connection from 192.168.1.5:56394 to 74.125.69.108:993 Servername: “imap.gmail.com” Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56233 to 104.244.43.199:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56236 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56242 to 184.25.66.217:443 Servername: "itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56243 to 23.195.218.30:443 Servername: "su.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56246 to 23.21.97.18:443 Servername: "vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56247 to 184.25.66.217:443 Servername: "init.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56248 to 104.244.43.229:443 Servername: "v.cdn.vine.co" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56250 to 17.173.66.136:443 Servername: "xp.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56253 to 23.195.217.14:443 Servername: "s.mzstatic.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56259 to 23.195.218.30:443 Servername: "se.itunes.apple.com" Fingerprint Matched: "AppleWebKit/600.7.12" TLSv1.2 connection from 192.168.1.5:56267 to 104.244.43.167:443 Servername: "pbs.twimg.com" Fingerprint Matched: "AppleWebKit/600.7.12 or 600.1.4" TLSv1.2 connection from 192.168.1.5:56273 to 104.244.43.7:443 Servername: "pbs.twimg.com"

{ 0, "Shodan", 0x0301, 0x0302, 0x0010, {0x00,0x14,0x00,0x11,0x00,0x19,0x00,0x08, 0x00,0x06,0x00,0x17,0x00,0x03,0x00,0xFF}, 1, {0x00}, 4, {0x00,0x23,0x00,0x0F} , 0 , {} , 0 , {} , 0 , {} }

Fingerprintout

alert tcp any any -> any any ( msg:"ruby script (tested: 2.0.0p481)"; content: "|16 03 01|"; offset: 0; depth: 3; rawbytes; content: "|01|"; distance: 1; rawbytes; content: "|03 01|"; distance: 3; rawbytes; byte_jump: 1,43,align; content: "|00 24|"; distance: 0; rawbytes; content: "|00 39 00 38 00 35 00 33 00 32 00 2F 00 16 00 13 00 0A 00 9A 00 99 00 96 00 05 00 04 00 15 00 12 00 09 00 FF|"; distance: 0; rawbytes; content: "|01 00|"; distance: 0; rawbytes; content: "|00 00|"; rawbytes; distance: 2; byte_jump: 2,0,relative; content: "|00 23|"; rawbytes; distance: 0; sid:1000169; rev:1;)

Fingerprintout

$ ./parse_fingerprint.py ../json/combined.json xkeyscore

# Rule for "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0)" “\x16\x03\x01.*\x01.*\x03\x01.*\x00\x16\x00\x04\x00\x05\x00\x0\x00\x09\x00\x64\x00\x62\x00\x03\x00\x06\x00\x13\x00\x12\x00\x63.*\x00"

Fingerprintout

$ ./parse_fingerprint.py ./combined.json cleanse | grep '#' # Oh no, 2 signatures match: Java (tested: v8 Update 60) - Archive.org bot # Oh no, 2 signatures match: Archive.org bot - Java (tested: v8 Update 60)

Fingerprintout

(╯°□°）╯︵ ┻━┻

{"id": 0, "desc": "MS Word / MS WebDav", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x0014 ", "ciphersuite": "0xC014 0xC013 0xC00A 0xC009 0x0035 0x002F 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0xFF01", "e_curves": " 0x0019 0x0017 0x0018 ", "sig_alg": " ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Internet Explorer 11.0.9600.17959", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0030 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x003D 0x003C 0x0035 0x002F 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x0005 0x000A 0x000B 0x000D 0xFF01", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0601 0x0603 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Pidgin (tested 2.10.11)", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0022 ", "ciphersuite": "0xC02B 0xC02F 0xC00A 0xC009 0xC013 0xC027 0xC014 0xC007 0xC011 0x009E 0x0033 0x0032 0x0067 0x0039 0x006B 0x002F 0x0035", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0xFF01 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 ", "sig_alg": " 0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0402 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows Java Plugin (tested: v8 Update 60)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Windows 8.x Apps Store thing (unconfirmed)", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0034 ", "ciphersuite": "0xC028 0xC027 0xC014 0xC013 0x009F 0x009E 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0x006A 0x0040 0x0038 0x0032 0x000A 0x0013 0x0005 0x0004", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0x000D 0x0023 0xFF01", "e_curves": " 0x0017 0x0018 ", "sig_alg": " 0x0401 0x0501 0x0601 0x0201 0x0403 0x0503 0x0603 0x0203 0x0202 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x00AE ", "ciphersuite": "0xC030 0xC02C 0xC028 0xC024 0xC014 0xC00A 0x00A3 0x009F 0x006B 0x006A 0x0039 0x0038 0x0088 0x0087 0xC019 0x00A7 0x006D 0x003A 0x0089 0xC032 0xC02E 0xC02A 0xC026 0xC00F 0xC005 0x009D 0x003D 0x0035 0x0084 0xC012 0xC008 0x0016 0x0013 0xC017 0x001B 0xC00D 0xC003 0x000A 0xC02F 0xC02B 0xC027 0xC023 0xC013 0xC009 0x00A2 0x009E 0x0067 0x0040 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC018 0x00A6 0x006C 0x0034 0x009B 0x0046 0xC031 0xC02D 0xC029 0xC025 0xC00E 0xC004 0x009C 0x003C 0x002F 0x0096 0x0041 0xC011 0xC007 0xC016 0x0018 0xC00C 0xC002 0x0005 0x0004 0x0014 0x0011 0x0019 0x0008 0x0006 0x0017 0x0003 0x00FF", "compression_length": "2 ", "compression": "0x01 0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 0x000D 0x000F", "e_curves": " 0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": " 0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 0x0101 ", "ec_point_fmt": " 0x00 0x01 0x02 ", "server": "" } {"id": 0, "desc": "w3c HTML Validator", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x0064 ", "ciphersuite": "0xC024 0xC028 0x003D 0xC026 0xC02A 0x006B 0x006A 0xC00A 0xC014 0x0035 0xC005 0xC00F 0x0039 0x0038 0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02C 0xC02B 0xC030 0x009D 0xC02E 0xC032 0x009F 0x00A3 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "Archive.org bot", "record_tls_version": " 0x0303", "tls_version": "0x0303 ", "ciphersuite_length": "0x003A ", "ciphersuite": "0xC023 0xC027 0x003C 0xC025 0xC029 0x0067 0x0040 0xC009 0xC013 0x002F 0xC004 0xC00E 0x0033 0x0032 0xC02B 0xC02F 0x009C 0xC02D 0xC031 0x009E 0x00A2 0xC008 0xC012 0x000A 0xC003 0xC00D 0x0016 0x0013 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x000A 0x000B 0x000D 0x0000", "e_curves": " 0x0017 0x0001 0x0003 0x0013 0x0015 0x0006 0x0007 0x0009 0x000A 0x0018 0x000B 0x000C 0x0019 0x000D 0x000E 0x000F 0x0010 0x0011 0x0002 0x0012 0x0004 0x0005 0x0014 0x0008 0x0016 ", "sig_alg": " 0x0603 0x0601 0x0503 0x0501 0x0403 0x0401 0x0303 0x0301 0x0203 0x0201 0x0202 0x0101 ", "ec_point_fmt": " 0x00 ", "server": "" } {"id": 0, "desc": "OpenSSL s-client with -tls1 flag", "record_tls_version": " 0x0301", "tls_version": "0x0301 ", "ciphersuite_length": "0x002E ", "ciphersuite": "0x0039 0x0038 0x0035 0x0016 0x0013 0x000A 0x0033 0x0032 0x002F 0x009A 0x0099 0x0096 0x0005 0x0004 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0023", "e_curves": " ", "sig_alg": " ", "ec_point_fmt": " ", "server": "" } {"id": 0, "desc": "GNUTLS Commandline", "record_tls_version": " 0x0301", "tls_version": "0x0303 ", "ciphersuite_length": "0x0084 ", "ciphersuite": "0xC02B 0xC02C 0xC086 0xC087 0xC009 0xC023 0xC00A 0xC024 0xC072 0xC073 0xC008 0xC007 0xC02F 0xC030 0xC08A 0xC08B 0xC013 0xC027 0xC014 0xC028 0xC076 0xC077 0xC012 0xC011 0x009C 0x009D 0xC07A 0xC07B 0x002F 0x003C 0x0035 0x003D 0x0041 0x00BA 0x0084 0x00C0 0x000A 0x0005 0x0004 0x009E 0x009F 0xC07C 0xC07D 0x0033 0x0067 0x0039 0x006B 0x0045 0x00BE 0x0088 0x00C4 0x0016 0x00A2 0x00A3 0xC080 0xC081 0x0032 0x0040 0x0038 0x006A 0x0044 0x00BD 0x0087 0x00C3 0x0013 0x0066", "compression_length": "1 ", "compression": "0x00", "extensions": "0x0005 0x0000 0xFF01 0x0023 0x000A 0x000B 0x000D", "e_curves": " 0x0017 0x0018 0x0019 0x0015 0x0013 ", "sig_alg": " 0x0401 0x0402 0x0403 0x0501 0x0503 0x0601 0x0603 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 ", "ec_point_fmt": " 0x00 ", "server": "" }

FingerPrint DB

Demo?

What’s Next?

https://github.com/LeeBrotherston/tls-fingerprinting

http://www.slideshare.net/leebrotherston

@synackpse @FingerprinTLS #TLSFP

📖 https://blog.squarelemon.com/tls-fingerprinting/

Random Observations

Thank you!Lee Brotherston

@synackpse #TLSFP

Date post:	12-Apr-2017
Category:	Technology
Upload:	lee-brotherston
View:	1,233 times
Download:	5 times

TLS Fingerprinting - Stealthier Attacking & Smarter Defending - DerbyCon

Technology