Download presentation
Presentation is loading. Please wait.
Published bySnežana Dimić Modified over 5 years ago
1
Fingerprinting Encrypted Channels with Bro for High Fidelity Detection
Jeff to lead off the introduction and John to start describing How SSL works and Metasploit
2
Fingerprinting Encrypted Channels with Bro for High Fidelity Detection
Jeff to lead off the introduction and John to start describing How SSL works and Metasploit
3
How SSL works Silly initial slide to set the tone. Note: The actual title card is later in the presentation, this is on purpose as a method of keeping the audience engaged.
4
How SSL works
5
How SSL works How NIDS would traditionally look at a TLS connection.
6
How SSL works Here’s how it actually works. This is the TCP 3-Way Handshake
7
How SSL works TCP 3-Way Handshake
8
How SSL works TCP 3-Way Handshake
9
How SSL works TLS Client Hello Packet
10
How SSL works TLS Server Hello Packet
11
How SSL works You’re looking for?
12
How SSL works You’re looking for?
13
How SSL works You’re looking for?
14
How SSL works You’re looking for?
15
How SSL works How NIDS would traditionally look at a TLS connection.
16
TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values
17
Metasploit SSL
18
Default Metasploit SSL Cert in Bro
x509.log certificate.issuer: CN=hrzvox.gov,O=bdlOFqMXlUfgoNQljMuRWgiJ,L=ZTIhjQVsJEuQIlS gScdegcLSLJVRE,ST=WI,C=US certificate.subject: CN=vl3qykkr.com,O=UPdkxNEasODSAlkvuadEMm,L=SZewokfDFSkaAsf KyeJMNtfleGT,ST=NV,C=US
19
/usr/share/metasploit-framework/lib/rex/socket/ssl_tcp_server.rb def makessl(params) ssl_cert = params.ssl_cert if ssl_cert issuer = OpenSSL::X509::Name.new([ ["C","US"], ['ST', Rex::Text.rand_state()], ["L", Rex::Text.rand_text_alpha(rand(20) + 10)], ["O", Rex::Text.rand_text_alpha(rand(20) + 10)], ["CN", Rex::Text.rand_hostname], ])
20
Default Metasploit SSL Cert in Bro
x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE, ST=WI, C=US
21
Regex match on rand mixed alpha?
bdlOFqMXlUfgoNQljMuRWgiJ ZTIhjQVsJEuQIlSgScdegcLSLJVRE alDSFlkasfQWAFlksSA aAfkVCIQmdSDlEkfASgKJZEk KfaNmtFxGPtqeK jQVsJEuQIlSgoNQljMuR CIQmddlOFqMXlUlDSFSgQljM SgoNQljasfOFqMXl KfIKwlMCZoetFFaLKXZ - xkcd
22
[a-z][A-Z]{2} - xkcd
23
if ( !(cert?$issuer) || (/C=US/ !in cert$issuer) )
return; local conn: connection; for ( c in f$conns ) conn=f$conns[c]; local metasploit = /[a-z][A-Z]{2}/; local x509_data: table[string] of string = table(); local parts = split(cert$issuer, /,/); for ( part_index in parts ) { local key_val = split1(parts[part_index], /=/); if ( 2 in key_val) x509_data[key_val[1]] = key_val[2]; } if ( "C" in x509_data && x509_data["C"] == "US" && "L" in x509_data && metasploit in x509_data["L"] ) NOTICE([$note=Metasploit_SSL_Cert, $conn=conn, $msg=fmt("Metasploit SSL, random issuer US city '%s'", x509_data["L"]), $sub=cert$issuer, $identifier=cert$issuer]);
24
Metasploit SSL Round 2
25
Metasploit SSL Cert Round 2
Explain Snakeoil
27
Metasploit SSL Cert Round 2
def self.ssl_generate_certificate yr = 24*3600* vf = Time.at(Time.now.to_i - rand(yr * 3) - yr) vt = Time.at(vf.to_i + (10 * yr)) cn = Rex::Text.rand_text_alpha_lower(rand(8)+2) key = OpenSSL::PKey::RSA.new(2048){ } cert = OpenSSL::X509::Certificate.new cert.version = cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF) cert.subject = OpenSSL::X509::Name.new([["CN", cn]]) cert.issuer = OpenSSL::X509::Name.new([["CN", cn]]) cert.not_before = vf cert.not_after = vt cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) cert.extensions = [ ef.create_extension("basicConstraints","CA:FALSE") ] ef.issuer_certificate = cert cert.sign(key, OpenSSL::Digest::SHA256.new)
28
Metasploit SSL Round 2 Bro logs ip.orig_h: 10.1.2.3 ip.orig_P: 1984
ip.resp_h: ip.resp_p: 443 subject: CN=qjpozixk issuer: CN=qjpozixk version: TLSv12 certificate.sig_alg: sha256WithRSAEncryption validation_status: self signed certificate
29
Snakeoil Cert Metasploit Cert
Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These make it easy to narrow down the search pattern.
30
Snakeoil Cert Metasploit Cert
Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These are the main differences and are great for regex matches.
31
Bro Script event x509_certificate(f: fa_file , cert_ref: opaque of x509 , cert: X509::Certificate ) { for ( cid in f$conns ) { if ( cid$resp_h in /8 ) { return; } } if ( ! cert?$subject ) { return; } if ( ! cert?$issuer ) { return; } if ( cert$subject in falselist ) { return; } if ( cert$subject != cert$issuer ) { return; } if ( /^CN=[a-z]{2,10}$/ == cert$subject ) if ( "sha256WithRSAEncryption" == cert$sig_alg ) NOTICE([$note=Metasploit_SSL_Cert, $conn=f$conns[cid], $msg=fmt("Metasploit Randomly Generated SSL Cert, '%s'", cert$subject), $sub=cert$issuer]); } 8 lines of code to detect HD’s 16 lines of code
32
Metasploit SSL Round 3
34
Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry
35
Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives
37
Certificate Style CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=*
Subject: C=/C=US/ST=VA/O=Nienow Issuer: C=/C=US/ST=VA/O=Nienow Subject: Issuer: CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=* Add in logic for the cert style and you have solid detection with little to no false positives
38
Certificate Style subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives
50
Harder for threat actors to change
TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values Jeff to pick up here -
51
How SSL works Let’s take a closer look at the TLS Client Hello Packet
52
First to the Key (2009) Blog posts go back as far as 2009 on using cipher suites as a way to fingerprint clients
53
Lee Brotherston (Derbycon 2015)
Lee Brotherston created TLSFingerprint, a standalone tool for fingerprinting clients. However, the output was large and we needed a solution that would work on our existing tools.
54
Our Requirements Needs to work on existing tools
Unique to client application like FingerprinTLS Easy to create Easy to share Easy to consume by any tool Our requirements for a TLS fingerprinting solution
55
How SSL works Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled.
56
How SSL works Notice the differences between these two similar programs
57
Microsoft Edge (Browser)
Example
58
Dridex Malware (Banking Trojan)
Example
59
Trickbot Malware (Banking Trojan)
Example, notice TLS 1.0
60
Microsoft Edge (Browser)
Microsoft orders ciphers from most secure to least
61
Trickbot Malware (Banking Trojan)
Malware usually doesn’t
62
Fingerprinting TLS Clients
Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled. How do we turn these unique differences into easily consumable fingerprints.
63
Fingerprinting TLS - The JA3 Method
64
Fingerprinting TLS - The JA3 Method
Version 771
65
Fingerprinting TLS - The JA3 Method
Version,Ciphers 771,
66
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions 771, ,
67
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves 771, , ,
68
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, , , ,0
69
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, , , ,0 MD5 hash
70
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, , , ,0 MD5 hash JA3 = f4c4f050188e15839a6cd3af798b6c77
71
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, ,,, MD5 hash JA3 = 4dd4fca b13b641d54a
72
Fingerprinting TLS - The JA3 Method
771, , , ,0 JA3 = ce5f a8c095a3d821d
73
Google Chrome JA3 = 94c485bca29d5392be53f2b8cf7f4304
74
Microsoft Edge JA3 = 10ee8d30a5d01c042afd7b2b205facc4
75
Tor Client JA3 = e7d705a3286e19ea42f587b344ee6865
76
Dridex Malware JA3 = 74927e242d6c3febf8cb9cab10a7f889
77
Trickbot Malware JA3 = 6734f b3ab4292b8f60f29984
78
JA3 on TLS 1.3
79
JA3 on TLS 1.3
80
No Server, No Problem Fully negotiated connections are not necessary. Server could be misconfigured or sinkholed. Client application can still be identified.
81
TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values
82
https://github.com/salesforce/ja3
JA3 pip install pyja3 bro-pkg install ja3 Created by: John Althouse Jeff Atkinson Josh Atkins Concept and Inspiration from: Lee Brotherston Turn over to John for Metasploit Round 3
83
Mapping JA3 to Client Application
84
Mapping JA3 to Client Application
Jeff picks up here
85
Mapping JA3 to Client Application
86
Mapping JA3 to Client Application
This is my Mac laptop and the client applications connecting outbound. This is pretty accurate, though not perfect, it’s amazing for a tool that is just listening on the network.
87
Example Network What can we see in a large example network?
88
Domain=steampowered.com Ah, my fellow PC Gamers :)
89
Malware and Sandboxes
90
Baseline your sandbox https://github.com/gbarford/testssl
Win10-socket: c12f54a3f91dc7bafd92cb59fe009a35 Win10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e Win10-powershell: fc54e0d16d f0146a98b300 Win10-powershell-SNI: bd36c14bd82ddaa0c04b25ed9ad Win10-iexplore: be6155e945a3e59a1dd0841b86f6c945 Win10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4 Win2016-socket: c543b63b895881d9abfbc320cb863 Win2016-socket-SNI: 7c410ce832e848a c9a82e972b Win2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f Win2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2 Win2016-iexplore: 4f2e9c50db9bd bd24740c0d Win2016-iexplore-SNI: f d61a237aa9e5e
91
File Exfil Detection Over TLS Original Concept by Bob Rotsted
92
Normal Outbound Traffic
93
File Transfer Outbound
94
Threshold Byte Count and Byte Rate
95
Exfil Detection from the Wire
Source IP: Destination IPs: , , … Destination Port: Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: TotalBytes Transferred: 2,048MB
96
Exfil Detection from the Wire
Source IP: Destination IPs: , , … Destination Port: Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: TotalBytes Transferred: 2,048MB JA3: fa030dbcb2e3c7141d3c ee8db JA3ClientApplication: Dropbox
97
Exfil Detection from the Wire
Source IP: Destination IPs: , , … Destination Port: Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: TotalBytes Transferred: 2,048MB JA3: fc54e0d16d f0146a98b300 JA3ClientApplication: Powershell
98
Hunting weird Cert Subjects
Found some
99
Hunting weird Cert Subjects
Found some
100
CN= Pivot on the JA3
101
JA3=2d8794cb7b52b777bee2695e79c15760 DGA located. This happens to be Tor, but it’s a great example of how one can pivot on the JA3 to find what else the client connects to. Ability to better enumerate actor’s infrastructure.
102
Evilginx E V I Username LG Password N Cookie 2FA X
TLS Server Hello Packet
103
Evilginx E V I Username LG Password N Cookie 2FA X
TLS Server Hello Packet
104
Evilginx TLS Server Hello Packet
105
Evilginx TLS Server Hello Packet
106
Evilginx man-in-the-middle attack framework phishing login credentials
session cookies to bypass 2-factor authentication protection. Released July and gaining momentum. Written in GO, can be noisy. JA3: d3e1de2ca313c6c0a639f69cc3e924a4 Possible Detection for Web Logins: Combine GO JA3 with User-Agent to confirm GO Proxy, not GO Client If you have a service that is accepting customer logins, how many customers are logging in with GO clients? Do you know? JA3 will tell you.
107
John picks up here
108
Pupy RAT As with most open source pen testing tools, it’s used in actual devastating attacks.
109
Pupy RAT Traditional IOCs - Secureworks
110
Pupy RAT How PuppyRAT configures it’s cipher organization
111
Pupy RAT JA3=d461cb26d9efc16067d3ff7704cea87f
Makes fingerprinting PuppyRAT easy. Notice the invalid cipher in the middle, luckily, hackers are just as bad at writing code as the rest of us.
112
Targeted Malware
113
Pen Testers This custom malware was designed to evade detection because it was over TLS to a legitimate destination. Notice the single Cipher, that never happens, never.
114
Pen Testers JA3: 87bb7d3dcf10752c52ebeb53f0a57700 Fingerprint String: 771,49196, ,24,0 In this example, detection was very simple and easy with zero false positives.
115
Metasploit SSL Round 4
116
Metasploit SSL Round 4 These are connection examples with Meterpreter/reverse_https
117
Moloch Also, this is the Moloch tool.
118
Moloch molo.ch Check out Moloch at molo.ch
119
Meterpreter on Windows 10
Anyway, take a look at the JA3 for each connection, the length of time, and packets
120
Meterpreter on Windows 10
Anyway, take a look at the JA3 for each connection, the length of time, and packets
121
Windows 10 Meterpreter HTTPS
IP JA3: 72a589da586844d7f0818ce684948eea Domain JA3: a0e9f5d64349fb13191bc781f81f42e1 Detection could be built on this alone
122
payload/windows/meterpreter/reverse_https
Win10 Meterpreter JA3: 72a589da586844d7f0818ce684948eea While the JA3 for Meterpreter payload on Win10 is a VERY iffy thing to completely base detection off of
123
JA3S Fingerprinting Server Hellos
124
Hypothesis AAAAAAAAA A server will respond to different clients differently, however it will respond to the same client the same
125
Hypothesis AAA A server will respond to different clients differently, however it will respond to the same client the same
126
Hypothesis BBBBBBBB A server will respond to different clients differently, however it will respond to the same client the same
127
Hypothesis BBB A server will respond to different clients differently, however it will respond to the same client the same
128
The JA3S Method
129
The JA3S Method
130
The JA3S Method Server Version 769,
131
The JA3S Method Server Version,Cipher Picked 769,49172,
132
The JA3S Method Server Version,Cipher Picked,Extensions
769,49172,
133
The JA3S Method Server Version,Cipher Picked,Extensions
769,49172, MD5 hash
134
The JA3S Method Server Version,Cipher Picked,Extensions
769,49172, MD5 hash JA3S = 623de93db17d313345d7ea481e7443cf
135
JA JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients
136
JA JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients
137
Trickbot Malware JA3 = 6734f37431670b3ab4292b8f60f29984
JA3S = 623de93db17d313345d7ea481e7443cf
138
IcedID Malware JA3 = 4d7a28d6f2263ed61de88ca66eb011e3
JA3S = 80b3a14bccc8598a1f3bbe83e71f735f
139
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc
Tor JA3 = e7d705a3286e19ea42f587b344ee6865 JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc
140
https://github.com/salesforce/ja3
JA3S pip install pyja3 bro-pkg install ja3
141
Metasploit SSL Round 5
142
payload/windows/meterpreter/reverse_https
Kali JA3S: de61602be74d4b bd18e Lets look at Metasploit again. Here’s Metasploit’s server hello responding to meterpreter payload on Windows10. Notice the cipher suite it chose, the extensions it decided to use.
143
payload/windows/meterpreter/reverse_https
Kali Metasploit JA3S: de61602be74d4b bd18e And the JA3S is also iffy
144
payload/windows/meterpreter/reverse_https
JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate
145
payload/windows/meterpreter/reverse_https
JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate
146
Cobalt Strike - Beacon (Windows 10)
147
Cobalt Strike - Beacon (Kali Linux)
148
Cobalt Strike - Beacon (Kali Linux)
149
Cobalt Strike - Beacon (Kali Linux)
JA3=72a589da586844d7f0818ce684948eea AND JA3S=b742b407517bac9536a77a7b0fee28e9 Combined together and it’s all you need for detecting Metasploit, regardless of the certificate
150
Simple Low False Positive Detection
Metasploit Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=70999de61602be74d4b bd18e Cobalt Strike Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=b742b407517bac9536a77a7b0fee28e9 Detection could be built on this alone
151
Empire (Python)
152
Empire (Pen Testers) In this example, the malware is the Python version of Empire
153
Empire (Pen Testers) JA3=Python
154
Empire (Pen Testers) I forgot to take a screenshot but this is what it looked like in Splunk, I swear.
155
Empire (Pen Testers) The JA3S is their server
156
Empire (Pen Testers) JA3+JA3S, super rare and that’s the detection.
157
HASSH Fingerprinting for SSH Clients and Servers
Idea and Concept by Ben Reardon Jeff to pick up here
158
HASSH
159
HASSH
160
HASSH ToDo: add link to Ben’s Salesforce Engineering Blog Post
161
Fingerprinting SSH - The HASSH Method
162
Fingerprinting SSH - The HASSH Method
KeyExchange;
163
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;
164
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;
165
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
166
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression MD5 hash
167
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression MD5 hash HASSH = 9c325a9bc631ff065307ccc05217c7da
168
Fingerprinting SSH - The HASSH Method
169
Fingerprinting SSH - The HASSH Method
HASSH = 8a8ae540028bf433cd68356c1b9e8d5b
170
HASSH https://github.com/salesforce/hassh
Created by: Ben Adel John Jeff Atkinson /in/anNh
171
Conclusion JA3 is not a silver bullet
Application collisions can happen Applications can connect through OS APIs There can be up to 5 JA3s for the same application But it is always valuable as a pivot point for analysis JA3 is a silver bullet (sometimes) Each environment is different Combined with JA3S allows for fingerprinting the entire TLS communication between client and server
172
Conclusion This style of fingerprinting can work across other encrypted channels! Please take this, use it, build off of our research, make it better, help push the industry forward.
176
https://github.com/salesforce/ja3 https://github.com/salesforce/hassh
John Althouse Threat Detection @4A4133 Jeff Atkinson Threat Intel @4a7361 in/anNh
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.