Fingerprinting Encrypted Channels for Detection

DerbyCon 8.0 - Evolution

Presented by: John B. Althouse
Date: Sunday October 07, 2018
Time: 12:00 - 12:50
Location: Marriott VII, VIII, IX, X
Track: Track 2

Last year we open sourced JA3, a method for fingerprinting client applications over TLS, and we saw that it was good. This year we tried fingerprinting the server side of the encrypted communication, and it's even better. Fingerprinting both ends of the channel creates a unique TLS communication fingerprint between client and server making detection of TLS C2 channels exceedingly easy. I'll explain how in this talk. What about non-TLS encrypted channels? The same principal can be applied. I'll talk about fingerprinting SSH clients and servers and what we've observed in our research. Are those SSH clients what they say they are? Maybe not.

John B. Althouse

Detection Scientist, Bro NSM Enthusiast, PC Master Builder, BMW Track Instructor


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats