Fingerprinting Encrypted Channels with Bro for High Fidelity Detection Jeff to lead off the introduction and John to start describing How SSL works and Metasploit
Fingerprinting Encrypted Channels with Bro for High Fidelity Detection Jeff to lead off the introduction and John to start describing How SSL works and Metasploit
How SSL works Silly initial slide to set the tone. Note: The actual title card is later in the presentation, this is on purpose as a method of keeping the audience engaged.
How SSL works
How SSL works How NIDS would traditionally look at a TLS connection.
How SSL works Here’s how it actually works. This is the TCP 3-Way Handshake
How SSL works TCP 3-Way Handshake
How SSL works TCP 3-Way Handshake
How SSL works TLS Client Hello Packet
How SSL works TLS Server Hello Packet
How SSL works You’re looking for?
How SSL works You’re looking for?
How SSL works You’re looking for?
How SSL works You’re looking for?
How SSL works How NIDS would traditionally look at a TLS connection.
TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values
Metasploit SSL
Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov,O=bdlOFqMXlUfgoNQljMuRWgiJ,L=ZTIhjQVsJEuQIlS gScdegcLSLJVRE,ST=WI,C=US certificate.subject: CN=vl3qykkr.com,O=UPdkxNEasODSAlkvuadEMm,L=SZewokfDFSkaAsf KyeJMNtfleGT,ST=NV,C=US
/usr/share/metasploit-framework/lib/rex/socket/ssl_tcp_server.rb def makessl(params) ssl_cert = params.ssl_cert if ssl_cert issuer = OpenSSL::X509::Name.new([ ["C","US"], ['ST', Rex::Text.rand_state()], ["L", Rex::Text.rand_text_alpha(rand(20) + 10)], ["O", Rex::Text.rand_text_alpha(rand(20) + 10)], ["CN", Rex::Text.rand_hostname], ])
Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE, ST=WI, C=US
Regex match on rand mixed alpha? bdlOFqMXlUfgoNQljMuRWgiJ ZTIhjQVsJEuQIlSgScdegcLSLJVRE alDSFlkasfQWAFlksSA aAfkVCIQmdSDlEkfASgKJZEk KfaNmtFxGPtqeK jQVsJEuQIlSgoNQljMuR CIQmddlOFqMXlUlDSFSgQljM SgoNQljasfOFqMXl KfIKwlMCZoetFFaLKXZ - xkcd
[a-z][A-Z]{2} - xkcd
if ( !(cert?$issuer) || (/C=US/ !in cert$issuer) ) return; local conn: connection; for ( c in f$conns ) conn=f$conns[c]; local metasploit = /[a-z][A-Z]{2}/; local x509_data: table[string] of string = table(); local parts = split(cert$issuer, /,/); for ( part_index in parts ) { local key_val = split1(parts[part_index], /=/); if ( 2 in key_val) x509_data[key_val[1]] = key_val[2]; } if ( "C" in x509_data && x509_data["C"] == "US" && "L" in x509_data && metasploit in x509_data["L"] ) NOTICE([$note=Metasploit_SSL_Cert, $conn=conn, $msg=fmt("Metasploit SSL, random issuer US city '%s'", x509_data["L"]), $sub=cert$issuer, $identifier=cert$issuer]);
Metasploit SSL Round 2
Metasploit SSL Cert Round 2 Explain Snakeoil
Metasploit SSL Cert Round 2 def self.ssl_generate_certificate yr = 24*3600*365 vf = Time.at(Time.now.to_i - rand(yr * 3) - yr) vt = Time.at(vf.to_i + (10 * yr)) cn = Rex::Text.rand_text_alpha_lower(rand(8)+2) key = OpenSSL::PKey::RSA.new(2048){ } cert = OpenSSL::X509::Certificate.new cert.version = 2 cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF) cert.subject = OpenSSL::X509::Name.new([["CN", cn]]) cert.issuer = OpenSSL::X509::Name.new([["CN", cn]]) cert.not_before = vf cert.not_after = vt cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) cert.extensions = [ ef.create_extension("basicConstraints","CA:FALSE") ] ef.issuer_certificate = cert cert.sign(key, OpenSSL::Digest::SHA256.new)
Metasploit SSL Round 2 Bro logs ip.orig_h: 10.1.2.3 ip.orig_P: 1984 ip.resp_h: 192.0.2.1 ip.resp_p: 443 subject: CN=qjpozixk issuer: CN=qjpozixk version: TLSv12 certificate.sig_alg: sha256WithRSAEncryption validation_status: self signed certificate
Snakeoil Cert Metasploit Cert Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These make it easy to narrow down the search pattern.
Snakeoil Cert Metasploit Cert Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These are the main differences and are great for regex matches.
Bro Script event x509_certificate(f: fa_file , cert_ref: opaque of x509 , cert: X509::Certificate ) { for ( cid in f$conns ) { if ( cid$resp_h in 10.0.0.0/8 ) { return; } } if ( ! cert?$subject ) { return; } if ( ! cert?$issuer ) { return; } if ( cert$subject in falselist ) { return; } if ( cert$subject != cert$issuer ) { return; } if ( /^CN=[a-z]{2,10}$/ == cert$subject ) if ( "sha256WithRSAEncryption" == cert$sig_alg ) NOTICE([$note=Metasploit_SSL_Cert, $conn=f$conns[cid], $msg=fmt("Metasploit Randomly Generated SSL Cert, '%s'", cert$subject), $sub=cert$issuer]); } 8 lines of code to detect HD’s 16 lines of code
Metasploit SSL Round 3
Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry
Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives
Certificate Style CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=* Subject: C=/C=US/ST=VA/O=Nienow LLC/OU=connect/CN=nienow.llc.org/emailAddress=connect@nienow.llc.org Issuer: C=/C=US/ST=VA/O=Nienow LLC/OU=connect/CN=nienow.llc.org/emailAddress=connect@nienow.llc.org Subject: C=/C=US/ST=TN/O=Toy-Rippin/OU=interface/CN=toy.rippin.org/emailAddress=interface@toy.rippin.org Issuer: C=/C=US/ST=TN/O=Toy-Rippin/OU=interface/CN=toy.rippin.org/emailAddress=interface@toy.rippin.org CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=* Add in logic for the cert style and you have solid detection with little to no false positives
Certificate Style subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives
Harder for threat actors to change TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values Jeff to pick up here -
How SSL works Let’s take a closer look at the TLS Client Hello Packet
First to the Key (2009) Blog posts go back as far as 2009 on using cipher suites as a way to fingerprint clients
Lee Brotherston (Derbycon 2015) Lee Brotherston created TLSFingerprint, a standalone tool for fingerprinting clients. However, the output was large and we needed a solution that would work on our existing tools.
Our Requirements Needs to work on existing tools Unique to client application like FingerprinTLS Easy to create Easy to share Easy to consume by any tool Our requirements for a TLS fingerprinting solution
How SSL works Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled.
How SSL works Notice the differences between these two similar programs
Microsoft Edge (Browser) Example
Dridex Malware (Banking Trojan) Example
Trickbot Malware (Banking Trojan) Example, notice TLS 1.0
Microsoft Edge (Browser) Microsoft orders ciphers from most secure to least
Trickbot Malware (Banking Trojan) Malware usually doesn’t
Fingerprinting TLS Clients Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled. How do we turn these unique differences into easily consumable fingerprints.
Fingerprinting TLS - The JA3 Method
Fingerprinting TLS - The JA3 Method Version 771
Fingerprinting TLS - The JA3 Method Version,Ciphers 771,49172-157-156-61-53-47-10
Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions 771,49172-157-156-61-53-47-10,0-5-10-11-13
Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24
Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0 MD5 hash
Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0 MD5 hash JA3 = f4c4f050188e15839a6cd3af798b6c77
Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,,, MD5 hash JA3 = 4dd4fca5534245b13b641d54a7035851
Fingerprinting TLS - The JA3 Method 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0 JA3 = ce5f3254611a8c095a3d821d44539877
Google Chrome JA3 = 94c485bca29d5392be53f2b8cf7f4304
Microsoft Edge JA3 = 10ee8d30a5d01c042afd7b2b205facc4
Tor Client JA3 = e7d705a3286e19ea42f587b344ee6865
Dridex Malware JA3 = 74927e242d6c3febf8cb9cab10a7f889
Trickbot Malware JA3 = 6734f37431670b3ab4292b8f60f29984
JA3 on TLS 1.3
JA3 on TLS 1.3
No Server, No Problem Fully negotiated connections are not necessary. Server could be misconfigured or sinkholed. Client application can still be identified.
TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values
https://github.com/salesforce/ja3 JA3 https://github.com/salesforce/ja3 pip install pyja3 bro-pkg install ja3 Created by: John Althouse Jeff Atkinson Josh Atkins Concept and Inspiration from: Lee Brotherston Turn over to John for Metasploit Round 3
Mapping JA3 to Client Application https://github.com/salesforce/ja3/tree/master/lists
Mapping JA3 to Client Application Jeff picks up here
Mapping JA3 to Client Application
Mapping JA3 to Client Application This is my Mac laptop and the client applications connecting outbound. This is pretty accurate, though not perfect, it’s amazing for a tool that is just listening on the network.
Example Network What can we see in a large example network?
Domain=steampowered.com Ah, my fellow PC Gamers :)
Malware and Sandboxes
Baseline your sandbox https://github.com/gbarford/testssl Win10-socket: c12f54a3f91dc7bafd92cb59fe009a35 Win10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e Win10-powershell: fc54e0d16d9764783542f0146a98b300 Win10-powershell-SNI: 54328bd36c14bd82ddaa0c04b25ed9ad Win10-iexplore: be6155e945a3e59a1dd0841b86f6c945 Win10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4 Win2016-socket: 043c543b63b895881d9abfbc320cb863 Win2016-socket-SNI: 7c410ce832e848a3321432c9a82e972b Win2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f Win2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2 Win2016-iexplore: 4f2e9c50db9bd107439136bd24740c0d Win2016-iexplore-SNI: f88610704d61a237aa9e5e0849573998
File Exfil Detection Over TLS Original Concept by Bob Rotsted https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework
Normal Outbound Traffic
File Transfer Outbound
Threshold Byte Count and Byte Rate
Exfil Detection from the Wire Source IP: 10.1.2.3 Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 … Destination Port: 443 Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: 512 TotalBytes Transferred: 2,048MB
Exfil Detection from the Wire Source IP: 10.1.2.3 Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 … Destination Port: 443 Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: 512 TotalBytes Transferred: 2,048MB JA3: fa030dbcb2e3c7141d3c2803780ee8db JA3ClientApplication: Dropbox
Exfil Detection from the Wire Source IP: 10.1.2.3 Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 … Destination Port: 443 Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: 512 TotalBytes Transferred: 2,048MB JA3: fc54e0d16d9764783542f0146a98b300 JA3ClientApplication: Powershell
Hunting weird Cert Subjects Found some
Hunting weird Cert Subjects Found some
CN=www.okrgpc6n32clgswq4e.net Pivot on the JA3
JA3=2d8794cb7b52b777bee2695e79c15760 DGA located. This happens to be Tor, but it’s a great example of how one can pivot on the JA3 to find what else the client connects to. Ability to better enumerate actor’s infrastructure.
Evilginx E V I Username LG Password N Cookie 2FA X TLS Server Hello Packet
Evilginx E V I Username LG Password N Cookie 2FA X TLS Server Hello Packet
Evilginx TLS Server Hello Packet
Evilginx TLS Server Hello Packet
Evilginx man-in-the-middle attack framework phishing login credentials session cookies to bypass 2-factor authentication protection. Released July and gaining momentum. Written in GO, can be noisy. JA3: d3e1de2ca313c6c0a639f69cc3e924a4 Possible Detection for Web Logins: Combine GO JA3 with User-Agent to confirm GO Proxy, not GO Client If you have a service that is accepting customer logins, how many customers are logging in with GO clients? Do you know? JA3 will tell you.
John picks up here
Pupy RAT As with most open source pen testing tools, it’s used in actual devastating attacks.
Pupy RAT Traditional IOCs - Secureworks
Pupy RAT How PuppyRAT configures it’s cipher organization
Pupy RAT JA3=d461cb26d9efc16067d3ff7704cea87f Makes fingerprinting PuppyRAT easy. Notice the invalid cipher in the middle, luckily, hackers are just as bad at writing code as the rest of us.
Targeted Malware
Pen Testers This custom malware was designed to evade detection because it was over TLS to a legitimate destination. Notice the single Cipher, that never happens, never.
Pen Testers JA3: 87bb7d3dcf10752c52ebeb53f0a57700 Fingerprint String: 771,49196,13172-5-10-11- 13-65281-16-18,24,0 In this example, detection was very simple and easy with zero false positives.
Metasploit SSL Round 4
Metasploit SSL Round 4 These are connection examples with Meterpreter/reverse_https
Moloch Also, this is the Moloch tool.
Moloch molo.ch Check out Moloch at molo.ch
Meterpreter on Windows 10 Anyway, take a look at the JA3 for each connection, the length of time, and packets
Meterpreter on Windows 10 Anyway, take a look at the JA3 for each connection, the length of time, and packets
Windows 10 Meterpreter HTTPS IP JA3: 72a589da586844d7f0818ce684948eea Domain JA3: a0e9f5d64349fb13191bc781f81f42e1 Detection could be built on this alone
payload/windows/meterpreter/reverse_https Win10 Meterpreter JA3: 72a589da586844d7f0818ce684948eea While the JA3 for Meterpreter payload on Win10 is a VERY iffy thing to completely base detection off of
JA3S Fingerprinting Server Hellos
Hypothesis AAAAAAAAA A server will respond to different clients differently, however it will respond to the same client the same
Hypothesis AAA A server will respond to different clients differently, however it will respond to the same client the same
Hypothesis BBBBBBBB A server will respond to different clients differently, however it will respond to the same client the same
Hypothesis BBB A server will respond to different clients differently, however it will respond to the same client the same
The JA3S Method
The JA3S Method
The JA3S Method Server Version 769,
The JA3S Method Server Version,Cipher Picked 769,49172,
The JA3S Method Server Version,Cipher Picked,Extensions 769,49172,65281-11
The JA3S Method Server Version,Cipher Picked,Extensions 769,49172,65281-11 MD5 hash
The JA3S Method Server Version,Cipher Picked,Extensions 769,49172,65281-11 MD5 hash JA3S = 623de93db17d313345d7ea481e7443cf
JA3 JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients
JA3 JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients
Trickbot Malware JA3 = 6734f37431670b3ab4292b8f60f29984 JA3S = 623de93db17d313345d7ea481e7443cf
IcedID Malware JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 JA3S = 80b3a14bccc8598a1f3bbe83e71f735f
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc Tor JA3 = e7d705a3286e19ea42f587b344ee6865 JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc
https://github.com/salesforce/ja3 JA3S https://github.com/salesforce/ja3 pip install pyja3 bro-pkg install ja3
Metasploit SSL Round 5
payload/windows/meterpreter/reverse_https Kali JA3S: 70999de61602be74d4b25185843bd18e Lets look at Metasploit again. Here’s Metasploit’s server hello responding to meterpreter payload on Windows10. Notice the cipher suite it chose, the extensions it decided to use.
payload/windows/meterpreter/reverse_https Kali Metasploit JA3S: 70999de61602be74d4b25185843bd18e And the JA3S is also iffy
payload/windows/meterpreter/reverse_https JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b25185843bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate
payload/windows/meterpreter/reverse_https JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b25185843bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate
Cobalt Strike - Beacon (Windows 10)
Cobalt Strike - Beacon (Kali Linux)
Cobalt Strike - Beacon (Kali Linux)
Cobalt Strike - Beacon (Kali Linux) JA3=72a589da586844d7f0818ce684948eea AND JA3S=b742b407517bac9536a77a7b0fee28e9 Combined together and it’s all you need for detecting Metasploit, regardless of the certificate
Simple Low False Positive Detection Metasploit Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=70999de61602be74d4b25185843bd18e Cobalt Strike Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=b742b407517bac9536a77a7b0fee28e9 Detection could be built on this alone
Empire (Python)
Empire (Pen Testers) In this example, the malware is the Python version of Empire
Empire (Pen Testers) JA3=Python
Empire (Pen Testers) I forgot to take a screenshot but this is what it looked like in Splunk, I swear.
Empire (Pen Testers) The JA3S is their server
Empire (Pen Testers) JA3+JA3S, super rare and that’s the detection.
HASSH Fingerprinting for SSH Clients and Servers Idea and Concept by Ben Reardon Jeff to pick up here
HASSH
HASSH
HASSH ToDo: add link to Ben’s Salesforce Engineering Blog Post
Fingerprinting SSH - The HASSH Method
Fingerprinting SSH - The HASSH Method KeyExchange; curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;
Fingerprinting SSH - The HASSH Method KeyExchange;Encryption; curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;
Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth; curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;
Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth;Compression curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;zlib@openssh.com,zlib,none
Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth;Compression curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;zlib@openssh.com,zlib,none MD5 hash
Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth;Compression curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;zlib@openssh.com,zlib,none MD5 hash HASSH = 9c325a9bc631ff065307ccc05217c7da
Fingerprinting SSH - The HASSH Method curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group15-sha256,diffie-hellman-group15-sha256@ssh.com,diffie-hellman-group15-sha384@ssh.com,diffie-hellman-group16-sha256,diffie-hellman-group16-sha384@ssh.com,diffie-hellman-group16-sha512@ssh.com,diffie-hellman-group18-sha512@ssh.com;aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;zlib@openssh.com,zlib,none
Fingerprinting SSH - The HASSH Method curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group15-sha256,diffie-hellman-group15-sha256@ssh.com,diffie-hellman-group15-sha384@ssh.com,diffie-hellman-group16-sha256,diffie-hellman-group16-sha384@ssh.com,diffie-hellman-group16-sha512@ssh.com,diffie-hellman-group18-sha512@ssh.com;aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;zlib@openssh.com,zlib,none HASSH = 8a8ae540028bf433cd68356c1b9e8d5b
HASSH https://github.com/salesforce/hassh https://engineering.salesforce.com/ Created by: Ben Reardon @benreardon Adel Karimi @0x4d31 John Althouse @4A4133 Jeff Atkinson /in/anNh
Conclusion JA3 is not a silver bullet Application collisions can happen Applications can connect through OS APIs There can be up to 5 JA3s for the same application But it is always valuable as a pivot point for analysis JA3 is a silver bullet (sometimes) Each environment is different Combined with JA3S allows for fingerprinting the entire TLS communication between client and server
Conclusion This style of fingerprinting can work across other encrypted channels! Please take this, use it, build off of our research, make it better, help push the industry forward.
https://github.com/salesforce/ja3 https://github.com/salesforce/hassh John Althouse Threat Detection jalthouse@salesforce.com @4A4133 Jeff Atkinson Threat Intel jatkinson@salesforce.com @4a7361 in/anNh