A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Fingerprinting Encrypted Channels for Detection - John Althouse Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Fingerprinting Encrypted Channels for Detection
John Althouse
Derbycon 2018

Last year we open sourced JA3, a method for fingerprinting client applications over TLS, and we saw that it was good. This year we tried fingerprinting the server side of the encrypted communication, and it's even better. Fingerprinting both ends of the channel creates a unique TLS communication fingerprint between client and server making detection of TLS C2 channels exceedingly easy. I'll explain how in this talk. What about non-TLS encrypted channels? The same principal can be applied. I'll talk about fingerprinting SSH clients and servers and what we've observed in our research. Are those SSH clients what they say they are? Maybe not.

Detection Scientist, Bro NSM Enthusiast, PC Master Builder, BMW Track Instructor

@4A4133

Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast