Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fingerprinting Encrypted Channels with Bro for High Fidelity Detection

Published bySnežana Dimić Modified over 5 years ago

Similar presentations

Presentation on theme: "Fingerprinting Encrypted Channels with Bro for High Fidelity Detection"— Presentation transcript:

1 Fingerprinting Encrypted Channels with Bro for High Fidelity Detection
Jeff to lead off the introduction and John to start describing How SSL works and Metasploit

2 Fingerprinting Encrypted Channels with Bro for High Fidelity Detection
Jeff to lead off the introduction and John to start describing How SSL works and Metasploit

3 How SSL works Silly initial slide to set the tone. Note: The actual title card is later in the presentation, this is on purpose as a method of keeping the audience engaged.

4 How SSL works

5 How SSL works How NIDS would traditionally look at a TLS connection.

6 How SSL works Here’s how it actually works. This is the TCP 3-Way Handshake

7 How SSL works TCP 3-Way Handshake

8 How SSL works TCP 3-Way Handshake

9 How SSL works TLS Client Hello Packet

10 How SSL works TLS Server Hello Packet

11 How SSL works You’re looking for?

12 How SSL works You’re looking for?

13 How SSL works You’re looking for?

14 How SSL works You’re looking for?

15 How SSL works How NIDS would traditionally look at a TLS connection.

16 TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values

17 Metasploit SSL

18 Default Metasploit SSL Cert in Bro
x509.log certificate.issuer: CN=hrzvox.gov,O=bdlOFqMXlUfgoNQljMuRWgiJ,L=ZTIhjQVsJEuQIlS gScdegcLSLJVRE,ST=WI,C=US certificate.subject: CN=vl3qykkr.com,O=UPdkxNEasODSAlkvuadEMm,L=SZewokfDFSkaAsf KyeJMNtfleGT,ST=NV,C=US

19 /usr/share/metasploit-framework/lib/rex/socket/ssl_tcp_server.rb def makessl(params) ssl_cert = params.ssl_cert if ssl_cert issuer = OpenSSL::X509::Name.new([ ["C","US"], ['ST', Rex::Text.rand_state()], ["L", Rex::Text.rand_text_alpha(rand(20) + 10)], ["O", Rex::Text.rand_text_alpha(rand(20) + 10)], ["CN", Rex::Text.rand_hostname], ])

20 Default Metasploit SSL Cert in Bro
x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE, ST=WI, C=US

21 Regex match on rand mixed alpha?
bdlOFqMXlUfgoNQljMuRWgiJ ZTIhjQVsJEuQIlSgScdegcLSLJVRE alDSFlkasfQWAFlksSA aAfkVCIQmdSDlEkfASgKJZEk KfaNmtFxGPtqeK jQVsJEuQIlSgoNQljMuR CIQmddlOFqMXlUlDSFSgQljM SgoNQljasfOFqMXl KfIKwlMCZoetFFaLKXZ - xkcd

22 [a-z][A-Z]{2} - xkcd

23 if ( !(cert?$issuer) || (/C=US/ !in cert$issuer) )
return; local conn: connection; for ( c in f$conns ) conn=f$conns[c]; local metasploit = /[a-z][A-Z]{2}/; local x509_data: table[string] of string = table(); local parts = split(cert$issuer, /,/); for ( part_index in parts ) { local key_val = split1(parts[part_index], /=/); if ( 2 in key_val) x509_data[key_val[1]] = key_val[2]; } if ( "C" in x509_data && x509_data["C"] == "US" && "L" in x509_data && metasploit in x509_data["L"] ) NOTICE([$note=Metasploit_SSL_Cert, $conn=conn, $msg=fmt("Metasploit SSL, random issuer US city '%s'", x509_data["L"]), $sub=cert$issuer, $identifier=cert$issuer]);

24 Metasploit SSL Round 2

25 Metasploit SSL Cert Round 2
Explain Snakeoil

26

27 Metasploit SSL Cert Round 2
def self.ssl_generate_certificate yr = 24*3600* vf = Time.at(Time.now.to_i - rand(yr * 3) - yr) vt = Time.at(vf.to_i + (10 * yr)) cn = Rex::Text.rand_text_alpha_lower(rand(8)+2) key = OpenSSL::PKey::RSA.new(2048){ } cert = OpenSSL::X509::Certificate.new cert.version = cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF) cert.subject = OpenSSL::X509::Name.new([["CN", cn]]) cert.issuer = OpenSSL::X509::Name.new([["CN", cn]]) cert.not_before = vf cert.not_after = vt cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) cert.extensions = [ ef.create_extension("basicConstraints","CA:FALSE") ] ef.issuer_certificate = cert cert.sign(key, OpenSSL::Digest::SHA256.new)

28 Metasploit SSL Round 2 Bro logs ip.orig_h: 10.1.2.3 ip.orig_P: 1984
ip.resp_h: ip.resp_p: 443 subject: CN=qjpozixk issuer: CN=qjpozixk version: TLSv12 certificate.sig_alg: sha256WithRSAEncryption validation_status: self signed certificate

29 Snakeoil Cert Metasploit Cert
Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These make it easy to narrow down the search pattern.

30 Snakeoil Cert Metasploit Cert
Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now Usually SHA1 (for now) CN = Hostname.Domain Issuer contains CN only Issuer and Subject are the same 2048bit Key Version 3 Valid for 10 years Starting now - rand(yr * 3) - yr Always SHA256 CN = rand_text_alpha_lower(rand(8)+2) These are the main differences and are great for regex matches.

31 Bro Script event x509_certificate(f: fa_file , cert_ref: opaque of x509 , cert: X509::Certificate ) { for ( cid in f$conns ) { if ( cid$resp_h in /8 ) { return; } } if ( ! cert?$subject ) { return; } if ( ! cert?$issuer ) { return; } if ( cert$subject in falselist ) { return; } if ( cert$subject != cert$issuer ) { return; } if ( /^CN=[a-z]{2,10}$/ == cert$subject ) if ( "sha256WithRSAEncryption" == cert$sig_alg ) NOTICE([$note=Metasploit_SSL_Cert, $conn=f$conns[cid], $msg=fmt("Metasploit Randomly Generated SSL Cert, '%s'", cert$subject), $sub=cert$issuer]); } 8 lines of code to detect HD’s 16 lines of code

32 Metasploit SSL Round 3

33

34 Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry

35 Certificate Style subject=/C=US/ST=WI/L=Denise/O=Gary/CN=41tw6z.yl.biz issuer=/C=US/O=Timothy/CN=Alan Jessica subject=/C=US/ST=WI/L=Steven/O=George/CN=p.h1qtuz.org issuer=/C=US/O=Andrea/CN=Bobby Jeremy subject=/C=US/ST=VT/L=Antonio/O=Roy/CN=td.0swgljfedb.a.edu issuer=/C=US/O=Nicholas/CN=Gregory Harry subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives

36

37 Certificate Style CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=*
Subject: C=/C=US/ST=VA/O=Nienow Issuer: C=/C=US/ST=VA/O=Nienow Subject: Issuer: CertSubject: C=/C=US/ST=* CertIssuer: C=/C=US/ST=* Add in logic for the cert style and you have solid detection with little to no false positives

38 Certificate Style subject=^C=US\/ST=[A-Z]{2}\/L=[A-Z][a-z]+\/O=[A-Z][a-z]+\/CN=(\w|\.)+$ issuer=^C=US\/O=[A-Z][a-z]+\/CN=[A-Z][a-z]+\s[A-Z][a-z]+$ Add in logic for the cert style and you have solid detection with little to no false positives

39

40

41

42

43

44

45

46

47

48

49

50 Harder for threat actors to change
TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values Jeff to pick up here -

51 How SSL works Let’s take a closer look at the TLS Client Hello Packet

52 First to the Key (2009) Blog posts go back as far as 2009 on using cipher suites as a way to fingerprint clients

53 Lee Brotherston (Derbycon 2015)
Lee Brotherston created TLSFingerprint, a standalone tool for fingerprinting clients. However, the output was large and we needed a solution that would work on our existing tools.

54 Our Requirements Needs to work on existing tools
Unique to client application like FingerprinTLS Easy to create Easy to share Easy to consume by any tool Our requirements for a TLS fingerprinting solution

55 How SSL works Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled.

56 How SSL works Notice the differences between these two similar programs

57 Microsoft Edge (Browser)
Example

58 Dridex Malware (Banking Trojan)
Example

59 Trickbot Malware (Banking Trojan)
Example, notice TLS 1.0

60 Microsoft Edge (Browser)
Microsoft orders ciphers from most secure to least

61 Trickbot Malware (Banking Trojan)
Malware usually doesn’t

62 Fingerprinting TLS Clients
Each client formulates it’s TLS client hello packet differently depending on certain conditions in which the client application was compiled. How do we turn these unique differences into easily consumable fingerprints.

63 Fingerprinting TLS - The JA3 Method

64 Fingerprinting TLS - The JA3 Method
Version 771

65 Fingerprinting TLS - The JA3 Method
Version,Ciphers 771,

66 Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions 771, ,

67 Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves 771, , ,

68 Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, , , ,0

69 Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, , , ,0 MD5 hash

70 Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, , , ,0 MD5 hash JA3 = f4c4f050188e15839a6cd3af798b6c77

71 Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats 771, ,,, MD5 hash JA3 = 4dd4fca b13b641d54a

72 Fingerprinting TLS - The JA3 Method
771, , , ,0 JA3 = ce5f a8c095a3d821d

73 Google Chrome JA3 = 94c485bca29d5392be53f2b8cf7f4304

74 Microsoft Edge JA3 = 10ee8d30a5d01c042afd7b2b205facc4

75 Tor Client JA3 = e7d705a3286e19ea42f587b344ee6865

76 Dridex Malware JA3 = 74927e242d6c3febf8cb9cab10a7f889

77 Trickbot Malware JA3 = 6734f b3ab4292b8f60f29984

78 JA3 on TLS 1.3

79 JA3 on TLS 1.3

80 No Server, No Problem Fully negotiated connections are not necessary. Server could be misconfigured or sinkholed. Client application can still be identified.

81 TTPs Tools Harder for threat actors to change Even harderer to detect Artifacts Domain Names IP Addresses Hash Values

82 https://github.com/salesforce/ja3
JA3 pip install pyja3 bro-pkg install ja3 Created by: John Althouse Jeff Atkinson Josh Atkins Concept and Inspiration from: Lee Brotherston Turn over to John for Metasploit Round 3

83 Mapping JA3 to Client Application

84 Mapping JA3 to Client Application
Jeff picks up here

85 Mapping JA3 to Client Application

86 Mapping JA3 to Client Application
This is my Mac laptop and the client applications connecting outbound. This is pretty accurate, though not perfect, it’s amazing for a tool that is just listening on the network.

87 Example Network What can we see in a large example network?

88 Domain=steampowered.com Ah, my fellow PC Gamers :)

89 Malware and Sandboxes

90 Baseline your sandbox https://github.com/gbarford/testssl
Win10-socket: c12f54a3f91dc7bafd92cb59fe009a35 Win10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e Win10-powershell: fc54e0d16d f0146a98b300 Win10-powershell-SNI: bd36c14bd82ddaa0c04b25ed9ad Win10-iexplore: be6155e945a3e59a1dd0841b86f6c945 Win10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4 Win2016-socket: c543b63b895881d9abfbc320cb863 Win2016-socket-SNI: 7c410ce832e848a c9a82e972b Win2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f Win2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2 Win2016-iexplore: 4f2e9c50db9bd bd24740c0d Win2016-iexplore-SNI: f d61a237aa9e5e

91 File Exfil Detection Over TLS Original Concept by Bob Rotsted

92 Normal Outbound Traffic

93 File Transfer Outbound

94 Threshold Byte Count and Byte Rate

95 Exfil Detection from the Wire
Source IP: Destination IPs: , , … Destination Port: Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: TotalBytes Transferred: 2,048MB

96 Exfil Detection from the Wire
Source IP: Destination IPs: , , … Destination Port: Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: TotalBytes Transferred: 2,048MB JA3: fa030dbcb2e3c7141d3c ee8db JA3ClientApplication: Dropbox

97 Exfil Detection from the Wire
Source IP: Destination IPs: , , … Destination Port: Service: HTTPS Destination Certificate: CN=*.dropbox.com ... Certificate Valid: True Files Transferred: TotalBytes Transferred: 2,048MB JA3: fc54e0d16d f0146a98b300 JA3ClientApplication: Powershell

98 Hunting weird Cert Subjects
Found some

99 Hunting weird Cert Subjects
Found some

100 CN= Pivot on the JA3

101 JA3=2d8794cb7b52b777bee2695e79c15760 DGA located. This happens to be Tor, but it’s a great example of how one can pivot on the JA3 to find what else the client connects to. Ability to better enumerate actor’s infrastructure.

102 Evilginx E V I Username LG Password N Cookie 2FA X
TLS Server Hello Packet

103 Evilginx E V I Username LG Password N Cookie 2FA X
TLS Server Hello Packet

104 Evilginx TLS Server Hello Packet

105 Evilginx TLS Server Hello Packet

106 Evilginx man-in-the-middle attack framework phishing login credentials
session cookies to bypass 2-factor authentication protection. Released July and gaining momentum. Written in GO, can be noisy. JA3: d3e1de2ca313c6c0a639f69cc3e924a4 Possible Detection for Web Logins: Combine GO JA3 with User-Agent to confirm GO Proxy, not GO Client If you have a service that is accepting customer logins, how many customers are logging in with GO clients? Do you know? JA3 will tell you.

107 John picks up here

108 Pupy RAT As with most open source pen testing tools, it’s used in actual devastating attacks.

109 Pupy RAT Traditional IOCs - Secureworks

110 Pupy RAT How PuppyRAT configures it’s cipher organization

111 Pupy RAT JA3=d461cb26d9efc16067d3ff7704cea87f
Makes fingerprinting PuppyRAT easy. Notice the invalid cipher in the middle, luckily, hackers are just as bad at writing code as the rest of us.

112 Targeted Malware

113 Pen Testers This custom malware was designed to evade detection because it was over TLS to a legitimate destination. Notice the single Cipher, that never happens, never.

114 Pen Testers JA3: 87bb7d3dcf10752c52ebeb53f0a57700 Fingerprint String: 771,49196, ,24,0 In this example, detection was very simple and easy with zero false positives.

115 Metasploit SSL Round 4

116 Metasploit SSL Round 4 These are connection examples with Meterpreter/reverse_https

117 Moloch Also, this is the Moloch tool.

118 Moloch molo.ch Check out Moloch at molo.ch

119 Meterpreter on Windows 10
Anyway, take a look at the JA3 for each connection, the length of time, and packets

120 Meterpreter on Windows 10
Anyway, take a look at the JA3 for each connection, the length of time, and packets

121 Windows 10 Meterpreter HTTPS
IP JA3: 72a589da586844d7f0818ce684948eea Domain JA3: a0e9f5d64349fb13191bc781f81f42e1 Detection could be built on this alone

122 payload/windows/meterpreter/reverse_https
Win10 Meterpreter JA3: 72a589da586844d7f0818ce684948eea While the JA3 for Meterpreter payload on Win10 is a VERY iffy thing to completely base detection off of

123 JA3S Fingerprinting Server Hellos

124 Hypothesis AAAAAAAAA A server will respond to different clients differently, however it will respond to the same client the same

125 Hypothesis AAA A server will respond to different clients differently, however it will respond to the same client the same

126 Hypothesis BBBBBBBB A server will respond to different clients differently, however it will respond to the same client the same

127 Hypothesis BBB A server will respond to different clients differently, however it will respond to the same client the same

128 The JA3S Method

129 The JA3S Method

130 The JA3S Method Server Version 769,

131 The JA3S Method Server Version,Cipher Picked 769,49172,

132 The JA3S Method Server Version,Cipher Picked,Extensions
769,49172,

133 The JA3S Method Server Version,Cipher Picked,Extensions
769,49172, MD5 hash

134 The JA3S Method Server Version,Cipher Picked,Extensions
769,49172, MD5 hash JA3S = 623de93db17d313345d7ea481e7443cf

135 JA JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients

136 JA JA3S Example, the JA3 ending in cc4 is powershell, in 9ad is Microsoft Edge, the server always responds the same to each client but differently to different clients

137 Trickbot Malware JA3 = 6734f37431670b3ab4292b8f60f29984
JA3S = 623de93db17d313345d7ea481e7443cf

138 IcedID Malware JA3 = 4d7a28d6f2263ed61de88ca66eb011e3
JA3S = 80b3a14bccc8598a1f3bbe83e71f735f

139 JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc
Tor JA3 = e7d705a3286e19ea42f587b344ee6865 JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc

140 https://github.com/salesforce/ja3
JA3S pip install pyja3 bro-pkg install ja3

141 Metasploit SSL Round 5

142 payload/windows/meterpreter/reverse_https
Kali JA3S: de61602be74d4b bd18e Lets look at Metasploit again. Here’s Metasploit’s server hello responding to meterpreter payload on Windows10. Notice the cipher suite it chose, the extensions it decided to use.

143 payload/windows/meterpreter/reverse_https
Kali Metasploit JA3S: de61602be74d4b bd18e And the JA3S is also iffy

144 payload/windows/meterpreter/reverse_https
JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate

145 payload/windows/meterpreter/reverse_https
JA3=72a589da586844d7f0818ce684948eea AND JA3S=70999de61602be74d4b bd18e Combined together and it’s all you need for detecting Metasploit, regardless of the certificate

146 Cobalt Strike - Beacon (Windows 10)

147 Cobalt Strike - Beacon (Kali Linux)

148 Cobalt Strike - Beacon (Kali Linux)

149 Cobalt Strike - Beacon (Kali Linux)
JA3=72a589da586844d7f0818ce684948eea AND JA3S=b742b407517bac9536a77a7b0fee28e9 Combined together and it’s all you need for detecting Metasploit, regardless of the certificate

150 Simple Low False Positive Detection
Metasploit Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=70999de61602be74d4b bd18e Cobalt Strike Win10 to Kali: (JA3=72a589da586844d7f0818ce684948eea OR JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3S=b742b407517bac9536a77a7b0fee28e9 Detection could be built on this alone

151 Empire (Python)

152 Empire (Pen Testers) In this example, the malware is the Python version of Empire

153 Empire (Pen Testers) JA3=Python

154 Empire (Pen Testers) I forgot to take a screenshot but this is what it looked like in Splunk, I swear.

155 Empire (Pen Testers) The JA3S is their server

156 Empire (Pen Testers) JA3+JA3S, super rare and that’s the detection.

157 HASSH Fingerprinting for SSH Clients and Servers
Idea and Concept by Ben Reardon Jeff to pick up here

158 HASSH

159 HASSH

160 HASSH ToDo: add link to Ben’s Salesforce Engineering Blog Post

161 Fingerprinting SSH - The HASSH Method

162 Fingerprinting SSH - The HASSH Method
KeyExchange;

163 Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;

164 Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;

165 Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression

166 Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression MD5 hash

167 Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression MD5 hash HASSH = 9c325a9bc631ff065307ccc05217c7da

168 Fingerprinting SSH - The HASSH Method

169 Fingerprinting SSH - The HASSH Method
HASSH = 8a8ae540028bf433cd68356c1b9e8d5b

170 HASSH https://github.com/salesforce/hassh
Created by: Ben Adel John Jeff Atkinson /in/anNh

171 Conclusion JA3 is not a silver bullet
Application collisions can happen Applications can connect through OS APIs There can be up to 5 JA3s for the same application But it is always valuable as a pivot point for analysis JA3 is a silver bullet (sometimes) Each environment is different Combined with JA3S allows for fingerprinting the entire TLS communication between client and server

172 Conclusion This style of fingerprinting can work across other encrypted channels! Please take this, use it, build off of our research, make it better, help push the industry forward.

173

174

175

176 https://github.com/salesforce/ja3 https://github.com/salesforce/hassh
John Althouse Threat Detection @4A4133 Jeff Atkinson Threat Intel @4a7361 in/anNh

Download ppt "Fingerprinting Encrypted Channels with Bro for High Fidelity Detection"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Similar presentations

Ads by Google