Fingerprinting Encrypted Channels with Bro for High Fidelity Detection Jeff to lead off the introduction and John to start describing How SSL works and Metasploit

Fingerprinting Encrypted Channels with Bro for High Fidelity Detection Jeff to lead off the introduction and John to start describing How SSL works and Metasploit

How SSL works Silly initial slide to set the tone. Note: The actual title card is later in the presentation, this is on purpose as a method of keeping the audience engaged.

How SSL works

How SSL works How NIDS would traditionally look at a TLS connection.

How SSL works Here’s how it actually works. This is the TCP 3-Way Handshake

How SSL works TCP 3-Way Handshake

How SSL works TCP 3-Way Handshake

How SSL works TLS Client Hello Packet

How SSL works TLS Server Hello Packet

How SSL works You’re looking for?

How SSL works You’re looking for?

How SSL works You’re looking for?

How SSL works You’re looking for?

How SSL works How NIDS would traditionally look at a TLS connection.

TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values

Metasploit SSL

Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov,O=bdlOFqMXlUfgoNQljMuRWgiJ,L=ZTIhjQVsJEuQIlS gScdegcLSLJVRE,ST=WI,C=US certificate.subject: CN=vl3qykkr.com,O=UPdkxNEasODSAlkvuadEMm,L=SZewokfDFSkaAsf KyeJMNtfleGT,ST=NV,C=US

/usr/share/metasploit-framework/lib/rex/socket/ssl_tcp_server.rb def makessl(params) ssl_cert = params.ssl_cert if ssl_cert issuer = OpenSSL::X509::Name.new([ ["C","US"], ['ST', Rex::Text.rand_state()], ["L", Rex::Text.rand_text_alpha(rand(20) + 10)], ["O", Rex::Text.rand_text_alpha(rand(20) + 10)], ["CN", Rex::Text.rand_hostname], ])

Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE, ST=WI, C=US

Regex match on rand mixed alpha? bdlOFqMXlUfgoNQljMuRWgiJ ZTIhjQVsJEuQIlSgScdegcLSLJVRE alDSFlkasfQWAFlksSA aAfkVCIQmdSDlEkfASgKJZEk KfaNmtFxGPtqeK jQVsJEuQIlSgoNQljMuR CIQmddlOFqMXlUlDSFSgQljM SgoNQljasfOFqMXl KfIKwlMCZoetFFaLKXZ - xkcd

[a-z][A-Z]{2} - xkcd

if ( !(cert?$issuer) || (/C=US/ !in cert$issuer) ) return; local conn: connection; for ( c in f$conns ) conn=f$conns[c]; local metasploit = /[a-z][A-Z]{2}/; local x509_data: table[string] of string = table(); local parts = split(cert$issuer, /,/); for ( part_index in parts ) { local key_val = split1(parts[part_index], /=/); if ( 2 in key_val) x509_data[key_val[1]] = key_val[2]; } if ( "C" in x509_data && x509_data["C"] == "US" && "L" in x509_data && metasploit in x509_data["L"] ) NOTICE([$note=Metasploit_SSL_Cert, $conn=conn, $msg=fmt("Metasploit SSL, random issuer US city '%s'", x509_data["L"]), $sub=cert$issuer, $identifier=cert$issuer]);

Metasploit SSL Round 2

Metasploit SSL Cert Round 2 Explain Snakeoil

Metasploit SSL Cert Round 2 def self.ssl_generate_certificate yr = 24*3600*365 vf = Time.at(Time.now.to_i - rand(yr * 3) - yr) vt = Time.at(vf.to_i + (10 * yr)) cn = Rex::Text.rand_text_alpha_lower(rand(8)+2) key = OpenSSL::PKey::RSA.new(2048){ } cert = OpenSSL::X509::Certificate.new cert.version = 2 cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF) cert.subject = OpenSSL::X509::Name.new([["CN", cn]]) cert.issuer = OpenSSL::X509::Name.new([["CN", cn]]) cert.not_before = vf cert.not_after = vt cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) cert.extensions = [ ef.create_extension("basicConstraints","CA:FALSE") ] ef.issuer_certificate = cert cert.sign(key, OpenSSL::Digest::SHA256.new)

Metasploit SSL Round 2 Bro logs ip.orig_h: 10.1.2.3 ip.orig_P: 1984 ip.resp_h: 192.0.2.1 ip.resp_p: 443 subject: CN=qjpozixk issuer: CN=qjpozixk version: TLSv12 certificate.sig_alg: sha256WithRSAEncryption validation_status: self signed certificate

Snakeoil Cert Metasploit Cert Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These make it easy to narrow down the search pattern.

Snakeoil Cert Metasploit Cert Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These are the main differences and are great for regex matches.

Bro Script event x509_certificate(f: fa_file , cert_ref: opaque of x509 , cert: X509::Certificate ) { for ( cid in f$conns ) { if ( cid$resp_h in 10.0.0.0/8 ) { return; } } if ( ! cert?$subject ) { return; } if ( ! cert?$issuer ) { return; } if ( cert$subject in falselist ) { return; } if ( cert$subject != cert$issuer ) { return; } if ( /^CN=[a-z]{2,10}$/ == cert$subject ) if ( "sha256WithRSAEncryption" == cert$sig_alg ) NOTICE([$note=Metasploit_SSL_Cert, $conn=f$conns[cid], $msg=fmt("Metasploit Randomly Generated SSL Cert, '%s'", cert$subject), $sub=cert$issuer]); } 8 lines of code to detect HD’s 16 lines of code

Metasploit SSL Round 3

Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry

Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives

Certificate Style CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=* Subject: C=/C=US/ST=VA/O=Nienow LLC/OU=connect/CN=nienow.llc.org/emailAddress=connect@nienow.llc.org Issuer: C=/C=US/ST=VA/O=Nienow LLC/OU=connect/CN=nienow.llc.org/emailAddress=connect@nienow.llc.org Subject: C=/C=US/ST=TN/O=Toy-Rippin/OU=interface/CN=toy.rippin.org/emailAddress=interface@toy.rippin.org Issuer: C=/C=US/ST=TN/O=Toy-Rippin/OU=interface/CN=toy.rippin.org/emailAddress=interface@toy.rippin.org CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=* Add in logic for the cert style and you have solid detection with little to no false positives

Certificate Style subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives

Harder for threat actors to change TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values Jeff to pick up here -

How SSL works Let’s take a closer look at the TLS Client Hello Packet

First to the Key (2009) Blog posts go back as far as 2009 on using cipher suites as a way to fingerprint clients

Lee Brotherston (Derbycon 2015) Lee Brotherston created TLSFingerprint, a standalone tool for fingerprinting clients. However, the output was large and we needed a solution that would work on our existing tools.

Our Requirements Needs to work on existing tools Unique to client application like FingerprinTLS Easy to create Easy to share Easy to consume by any tool Our requirements for a TLS fingerprinting solution

How SSL works Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled.

How SSL works Notice the differences between these two similar programs

Microsoft Edge (Browser) Example

Dridex Malware (Banking Trojan) Example

Trickbot Malware (Banking Trojan) Example, notice TLS 1.0

Microsoft Edge (Browser) Microsoft orders ciphers from most secure to least

Trickbot Malware (Banking Trojan) Malware usually doesn’t

Fingerprinting TLS Clients Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled. How do we turn these unique differences into easily consumable fingerprints.

Fingerprinting TLS - The JA3 Method

Fingerprinting TLS - The JA3 Method Version 771

Fingerprinting TLS - The JA3 Method Version,Ciphers 771,49172-157-156-61-53-47-10

Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions 771,49172-157-156-61-53-47-10,0-5-10-11-13

Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24

Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0

Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0 MD5 hash

Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0 MD5 hash JA3 = f4c4f050188e15839a6cd3af798b6c77

Fingerprinting TLS - The JA3 Method Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771,49172-157-156-61-53-47-10,,, MD5 hash JA3 = 4dd4fca5534245b13b641d54a7035851

Fingerprinting TLS - The JA3 Method 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0 JA3 = ce5f3254611a8c095a3d821d44539877

Google Chrome JA3 = 94c485bca29d5392be53f2b8cf7f4304

Microsoft Edge JA3 = 10ee8d30a5d01c042afd7b2b205facc4

Tor Client JA3 = e7d705a3286e19ea42f587b344ee6865

Dridex Malware JA3 = 74927e242d6c3febf8cb9cab10a7f889

Trickbot Malware JA3 = 6734f37431670b3ab4292b8f60f29984

JA3 on TLS 1.3

JA3 on TLS 1.3

No Server, No Problem Fully negotiated connections are not necessary. Server could be misconfigured or sinkholed. Client application can still be identified.

TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values

https://github.com/salesforce/ja3 JA3 https://github.com/salesforce/ja3 pip install pyja3 bro-pkg install ja3 Created by: John Althouse Jeff Atkinson Josh Atkins Concept and Inspiration from: Lee Brotherston Turn over to John for Metasploit Round 3

Mapping JA3 to Client Application https://github.com/salesforce/ja3/tree/master/lists

Mapping JA3 to Client Application Jeff picks up here

Mapping JA3 to Client Application

Mapping JA3 to Client Application This is my Mac laptop and the client applications connecting outbound. This is pretty accurate, though not perfect, it’s amazing for a tool that is just listening on the network.

Example Network What can we see in a large example network?

Domain=steampowered.com Ah, my fellow PC Gamers :)

Malware and Sandboxes

Baseline your sandbox https://github.com/gbarford/testssl Win10-socket: c12f54a3f91dc7bafd92cb59fe009a35 Win10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e Win10-powershell: fc54e0d16d9764783542f0146a98b300 Win10-powershell-SNI: 54328bd36c14bd82ddaa0c04b25ed9ad Win10-iexplore: be6155e945a3e59a1dd0841b86f6c945 Win10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4 Win2016-socket: 043c543b63b895881d9abfbc320cb863 Win2016-socket-SNI: 7c410ce832e848a3321432c9a82e972b Win2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f Win2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2 Win2016-iexplore: 4f2e9c50db9bd107439136bd24740c0d Win2016-iexplore-SNI: f88610704d61a237aa9e5e0849573998

File Exfil Detection Over TLS Original Concept by Bob Rotsted https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework

Normal Outbound Traffic

File Transfer Outbound

Threshold Byte Count and Byte Rate

Exfil Detection from the Wire Source IP: 10.1.2.3 Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 … Destination Port: 443 Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: 512 TotalBytes Transferred: 2,048MB

Exfil Detection from the Wire Source IP: 10.1.2.3 Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 … Destination Port: 443 Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: 512 TotalBytes Transferred: 2,048MB JA3: fa030dbcb2e3c7141d3c2803780ee8db JA3ClientApplication: Dropbox

Exfil Detection from the Wire Source IP: 10.1.2.3 Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 … Destination Port: 443 Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: 512 TotalBytes Transferred: 2,048MB JA3: fc54e0d16d9764783542f0146a98b300 JA3ClientApplication: Powershell

Hunting weird Cert Subjects Found some

Hunting weird Cert Subjects Found some

CN=www.okrgpc6n32clgswq4e.net Pivot on the JA3

JA3=2d8794cb7b52b777bee2695e79c15760 DGA located. This happens to be Tor, but it’s a great example of how one can pivot on the JA3 to find what else the client connects to. Ability to better enumerate actor’s infrastructure.

Evilginx E V I Username LG Password N Cookie 2FA X TLS Server Hello Packet

Evilginx E V I Username LG Password N Cookie 2FA X TLS Server Hello Packet

Evilginx TLS Server Hello Packet

Evilginx TLS Server Hello Packet

Evilginx man-in-the-middle attack framework phishing login credentials session cookies to bypass 2-factor authentication protection. Released July and gaining momentum. Written in GO, can be noisy. JA3: d3e1de2ca313c6c0a639f69cc3e924a4 Possible Detection for Web Logins: Combine GO JA3 with User-Agent to confirm GO Proxy, not GO Client If you have a service that is accepting customer logins, how many customers are logging in with GO clients? Do you know? JA3 will tell you.

John picks up here

Pupy RAT As with most open source pen testing tools, it’s used in actual devastating attacks.

Pupy RAT Traditional IOCs - Secureworks

Pupy RAT How PuppyRAT configures it’s cipher organization

Pupy RAT JA3=d461cb26d9efc16067d3ff7704cea87f Makes fingerprinting PuppyRAT easy. Notice the invalid cipher in the middle, luckily, hackers are just as bad at writing code as the rest of us.

Targeted Malware

Pen Testers This custom malware was designed to evade detection because it was over TLS to a legitimate destination. Notice the single Cipher, that never happens, never.

Pen Testers JA3: 87bb7d3dcf10752c52ebeb53f0a57700 Fingerprint String: 771,49196,13172-5-10-11- 13-65281-16-18,24,0 In this example, detection was very simple and easy with zero false positives.

Metasploit SSL Round 4

Metasploit SSL Round 4 These are connection examples with Meterpreter/reverse_https

Moloch Also, this is the Moloch tool.

Moloch molo.ch Check out Moloch at molo.ch

Meterpreter on Windows 10 Anyway, take a look at the JA3 for each connection, the length of time, and packets

Meterpreter on Windows 10 Anyway, take a look at the JA3 for each connection, the length of time, and packets

Windows 10 Meterpreter HTTPS IP JA3: 72a589da586844d7f0818ce684948eea Domain JA3: a0e9f5d64349fb13191bc781f81f42e1 Detection could be built on this alone

payload/windows/meterpreter/reverse_https Win10 Meterpreter JA3: 72a589da586844d7f0818ce684948eea While the JA3 for Meterpreter payload on Win10 is a VERY iffy thing to completely base detection off of

JA3S Fingerprinting Server Hellos

Hypothesis AAAAAAAAA A server will respond to different clients differently, however it will respond to the same client the same

Hypothesis AAA A server will respond to different clients differently, however it will respond to the same client the same

Hypothesis BBBBBBBB A server will respond to different clients differently, however it will respond to the same client the same

Hypothesis BBB A server will respond to different clients differently, however it will respond to the same client the same

The JA3S Method

The JA3S Method

The JA3S Method Server Version 769,

The JA3S Method Server Version,Cipher Picked 769,49172,

The JA3S Method Server Version,Cipher Picked,Extensions 769,49172,65281-11

The JA3S Method Server Version,Cipher Picked,Extensions 769,49172,65281-11 MD5 hash

The JA3S Method Server Version,Cipher Picked,Extensions 769,49172,65281-11 MD5 hash JA3S = 623de93db17d313345d7ea481e7443cf

JA3 JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients

JA3 JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients

Trickbot Malware JA3 = 6734f37431670b3ab4292b8f60f29984 JA3S = 623de93db17d313345d7ea481e7443cf

IcedID Malware JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 JA3S = 80b3a14bccc8598a1f3bbe83e71f735f

JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc Tor JA3 = e7d705a3286e19ea42f587b344ee6865 JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc

https://github.com/salesforce/ja3 JA3S https://github.com/salesforce/ja3 pip install pyja3 bro-pkg install ja3

Metasploit SSL Round 5

payload/windows/meterpreter/reverse_https Kali JA3S: 70999de61602be74d4b25185843bd18e Lets look at Metasploit again. Here’s Metasploit’s server hello responding to meterpreter payload on Windows10. Notice the cipher suite it chose, the extensions it decided to use.

payload/windows/meterpreter/reverse_https Kali Metasploit JA3S: 70999de61602be74d4b25185843bd18e And the JA3S is also iffy

payload/windows/meterpreter/reverse_https JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b25185843bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate

payload/windows/meterpreter/reverse_https JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b25185843bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate

Cobalt Strike - Beacon (Windows 10)

Cobalt Strike - Beacon (Kali Linux)

Cobalt Strike - Beacon (Kali Linux)

Cobalt Strike - Beacon (Kali Linux) JA3=72a589da586844d7f0818ce684948eea AND JA3S=b742b407517bac9536a77a7b0fee28e9 Combined together and it’s all you need for detecting Metasploit, regardless of the certificate

Simple Low False Positive Detection Metasploit Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=70999de61602be74d4b25185843bd18e Cobalt Strike Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=b742b407517bac9536a77a7b0fee28e9 Detection could be built on this alone

Empire (Python)

Empire (Pen Testers) In this example, the malware is the Python version of Empire

Empire (Pen Testers) JA3=Python

Empire (Pen Testers) I forgot to take a screenshot but this is what it looked like in Splunk, I swear.

Empire (Pen Testers) The JA3S is their server

Empire (Pen Testers) JA3+JA3S, super rare and that’s the detection.

HASSH Fingerprinting for SSH Clients and Servers Idea and Concept by Ben Reardon Jeff to pick up here

HASSH

HASSH

HASSH ToDo: add link to Ben’s Salesforce Engineering Blog Post

Fingerprinting SSH - The HASSH Method

Fingerprinting SSH - The HASSH Method KeyExchange; curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;

Fingerprinting SSH - The HASSH Method KeyExchange;Encryption; curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;

Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth; curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;

Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth;Compression curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;zlib@openssh.com,zlib,none

Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth;Compression curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;zlib@openssh.com,zlib,none MD5 hash

Fingerprinting SSH - The HASSH Method KeyExchange;Encryption;MessageAuth;Compression curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;zlib@openssh.com,zlib,none MD5 hash HASSH = 9c325a9bc631ff065307ccc05217c7da

Fingerprinting SSH - The HASSH Method curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group15-sha256,diffie-hellman-group15-sha256@ssh.com,diffie-hellman-group15-sha384@ssh.com,diffie-hellman-group16-sha256,diffie-hellman-group16-sha384@ssh.com,diffie-hellman-group16-sha512@ssh.com,diffie-hellman-group18-sha512@ssh.com;aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;zlib@openssh.com,zlib,none

Fingerprinting SSH - The HASSH Method curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group15-sha256,diffie-hellman-group15-sha256@ssh.com,diffie-hellman-group15-sha384@ssh.com,diffie-hellman-group16-sha256,diffie-hellman-group16-sha384@ssh.com,diffie-hellman-group16-sha512@ssh.com,diffie-hellman-group18-sha512@ssh.com;aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;zlib@openssh.com,zlib,none HASSH = 8a8ae540028bf433cd68356c1b9e8d5b

HASSH https://github.com/salesforce/hassh https://engineering.salesforce.com/ Created by: Ben Reardon @benreardon Adel Karimi @0x4d31 John Althouse @4A4133 Jeff Atkinson /in/anNh

Conclusion JA3 is not a silver bullet Application collisions can happen Applications can connect through OS APIs There can be up to 5 JA3s for the same application But it is always valuable as a pivot point for analysis JA3 is a silver bullet (sometimes) Each environment is different Combined with JA3S allows for fingerprinting the entire TLS communication between client and server

Conclusion This style of fingerprinting can work across other encrypted channels! Please take this, use it, build off of our research, make it better, help push the industry forward.

https://github.com/salesforce/ja3 https://github.com/salesforce/hassh John Althouse Threat Detection jalthouse@salesforce.com @4A4133 Jeff Atkinson Threat Intel jatkinson@salesforce.com @4a7361 in/anNh