User Tools

Site Tools


app:tlsfingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
app:tlsfingerprint [2017/11/28 18:24]
veera [What is TLS Fingerprinting]
app:tlsfingerprint [2018/03/04 07:57] (current)
veera
Line 1: Line 1:
 +~~Title: TLS Fingerprinting using Trisul ~~ 
 +
 ====== TLS Fingerprinter ====== ====== TLS Fingerprinter ======
  
Line 10: Line 12:
 ===== What is TLS Fingerprinting ===== ===== What is TLS Fingerprinting =====
  
-This technique builds upon the patterns found in the client ​preferences that are advertised in the "​Client Hello" message that is sent as the very first message in the TLS Handshake process. This message is un-encryptedtherefore ​it allows for NSM tools like Trisul to look at it.  ​Each SSL/TLS Client ​such as browsers use a particular version of a particular implementation of SSL/TLS. Some major implementations are OpenSSL, GnuTLS, Windows, Java SSE, NSS, embedded libraries like WolfSSL etc. +This technique builds upon the patterns found in the preferences that are advertised in the "​Client Hello" message that is sent by the client ​as the very first message in the TLS Handshake process. This message is unencryptedso it allows for NSM tools like Trisul to look at it.  ​Every SSL/TLS Client ​uses a particular version of a particular implementation of SSL/​TLS ​library. Some major implementations are OpenSSL, GnuTLS, Windows, Java SSE, NSS, WolfSSL etc. 
  
 The 3 major fields in the Client Hello that can identify a client are  The 3 major fields in the Client Hello that can identify a client are 
Line 20: Line 22:
 So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a '​fingerprint'​. ​ We can call this a //JA3 hash// as proposed by the researchers John Althouse and team.  ​ So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a '​fingerprint'​. ​ We can call this a //JA3 hash// as proposed by the researchers John Althouse and team.  ​
  
-At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston'​s ​original work. We at Trisul also added in some 50 hashes+At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston'​s ​effort. We at Trisul also added in some 50-60 new prints
  
-Links +<​note>​  
 +Further reading
   * [[https://​github.com/​synackpse|Lee Brotherstons work]] on TLS Fingerprinting   * [[https://​github.com/​synackpse|Lee Brotherstons work]] on TLS Fingerprinting
 +  * [[https://​blog.squarelemon.com/​tls-fingerprinting/​|Square Lemon blog TLS Fingerprinting]]
   * [[https://​github.com/​salesforce/​ja3|JA3 Hash]]  ​   * [[https://​github.com/​salesforce/​ja3|JA3 Hash]]  ​
 +</​note>​
 ==== Fingerprints database ==== ==== Fingerprints database ====
  
-The fingerprints database we have at our [[https://​raw.githubusercontent.com/​trisulnsm/​trisul-scripts/​master/​lua/​frontend_scripts/​reassembly/​ja3/​prints/​ja3fingerprint.json|Github repo]] contains some 450 signatures in a JSON file.  Each print is on a single line. The JA3 hash which identifies a particular client+The fingerprints database we have at our [[https://​raw.githubusercontent.com/​trisulnsm/​trisul-scripts/​master/​lua/​frontend_scripts/​reassembly/​ja3/​prints/​ja3fingerprint.json|Github repo]] contains some 450 signatures in a JSON file.  Each print is on a single line.  If you captured on a live network the JA3 hash ''​d82cbe0b93f2b02d490a14f6bc1d421a''​ you can flag that as ''​PaleMoon Browser 27.4.2''​
  
 <​code>​ <​code>​
Line 37: Line 41:
 </​code>​ </​code>​
  
-So if you captured on a live network the JA3 hash ''​d82cbe0b93f2b02d490a14f6bc1d421a''​ you can flag that as ''​PaleMoon Browser 27.4.2''​ 
  
  
-===== Analysis of TLS Fingerprints ​=====+==== Analysis of TLS Fingerprints ====
    
-What are you going to do with these prints. There are a few options ​+There are two actionable things ​you can do with these prints 
 +  
 +  * **Malware prints** ​ - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc. 
 +  * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "​Triage state" where a human can look into it. 
  
-  * Malware prints ​ - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc. 
-  * Anomaly detection : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "​Triage state" where a human can look into it.  
  
-In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. +===== How the TrisulNSM App works  =====
  
 +The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https://​github.com/​trisulnsm/​apps/​tree/​master/​analyzers/​tls-print|Github trisulnsm/​apps repo]]. Essentially it uses the [[https://​www.trisul.org/​docs/​lua/​reassembly.html|"​TCP Reassembly Handler"​]] Lua script type and parses the Client Hello messages and constructs the JA3 fingerprints and pushes them back into the Trisul streaming pipeline. ​
  
-Lets look at what you can do with TrisulNSM and the new TLS Prints App.+The app generates ​the following pieces of info
  
- +  ​**Metrics** :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. 
-===== Using Trisul streaming analytics ===== +  - **Graph Analytics** : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. 
- +  - **Alerts** : Right now we dont have many Malware prints, but when do we have them, the App can generate an alert. ​
-Since we do not yet have many malware fingerprints,​ we rely on anomaly detection to build a profile, then pick out the outliers. ​ For this purpose, the new //TLS Printer App// provides the following analysis paths. +
- +
-  ​- Metrics :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. +
-  - Graph Analytics : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. +
-  - Alerts : Right now we dont have many Malware prints, but when we have them, the App can generate an alert. ​+
  
  
Line 95: Line 95:
 When you reveal adjacent vertices in [[https://​www.trisul.org/​docs/​ug/​edges/​index.html|Trisul EDGE]] you will see vertices of all types. One of vertex types is **User-Agent** others are TLS Cert, Country, ASN etc.  We are lucky that we found a single User Agent around the same time interval as Semrush - which happens to be a SEO Bot. So there .. this **TLS Print can be pegged to SEMRUSH Bot**. ​ You can then go to the Key Dashboard and set the label to //resolve the previously unknown TLS Print// When you reveal adjacent vertices in [[https://​www.trisul.org/​docs/​ug/​edges/​index.html|Trisul EDGE]] you will see vertices of all types. One of vertex types is **User-Agent** others are TLS Cert, Country, ASN etc.  We are lucky that we found a single User Agent around the same time interval as Semrush - which happens to be a SEO Bot. So there .. this **TLS Print can be pegged to SEMRUSH Bot**. ​ You can then go to the Key Dashboard and set the label to //resolve the previously unknown TLS Print//
  
-==== Programatically resolving TLS Prints ====+===== Programatically resolving TLS Prints ​=====
  
-The TrisulNSM TLS-Print ​App logs all fingerprints ​in a file located in the following directoryIt also includs the so called JA3-String which is text string used to compute the hash (print)The format of the file is +This App dumps all fingerprints ​along with the parameters used to compute them into log file. This allows us to programatically resolve unknown fingerprints. We released ​TRP Ruby script ​to [[app:​auto_fingerprint|programatically resolve TLS Prints using Web Server Access Logs]].
  
  
  
-If you can access ​to a busy Web Server you can setup a // HTTP 301 Redirect // to help resolve TLS Prints. The way it works is  +We invite ​you to try this app in your network and let us know how it works. It is free to run . 
- +
-  +
- +
  
  
  
app/tlsfingerprint.1511893491.txt.gz · Last modified: 2017/11/28 18:24 by veera