323 lines
14 KiB
TeX
323 lines
14 KiB
TeX
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\colorlet{punct}{red!60!black}
|
|
\definecolor{background}{HTML}{EEEEEE}
|
|
\definecolor{delim}{RGB}{20,105,176}
|
|
\colorlet{numb}{magenta!60!black}
|
|
|
|
\lstdefinelanguage{brol}{
|
|
basicstyle=\normalfont\ttfamily,
|
|
numbers=left,
|
|
numberstyle=\scriptsize,
|
|
stepnumber=1,
|
|
numbersep=8pt,
|
|
showstringspaces=false,
|
|
breaklines=true,
|
|
frame=lines,
|
|
basicstyle=\tiny,
|
|
backgroundcolor=\color{background},
|
|
}
|
|
|
|
|
|
\begin{frame}[t, fragile]{Datasets used}
|
|
\begin{itemize}
|
|
\item Eireann used Shodan stream of certificates (350k certificates in counting Bloomfilter).
|
|
\begin{itemize}
|
|
\item Thanks to John (Shodan) Matherly.
|
|
\end{itemize}
|
|
\item Alex used the CIRCL Passive SSL datasets (around 100 millions certificates).
|
|
\begin{itemize}
|
|
\item Thanks to GCHQ (for the idea).
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Problem statement}
|
|
CSIRT or LIRT or security analysts have recurring issues to:
|
|
\begin{itemize}
|
|
\item Find owners of IP addresses.
|
|
\item Detect usage of CIDR blocks.
|
|
\item Find vulnerable systems passively (and avoid intrusive scanning).
|
|
\begin{itemize}
|
|
\item Scale of potential impact.
|
|
\end{itemize}
|
|
\item Detect compromised services.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Acknowlegement}
|
|
\begin{itemize}
|
|
\item Thanks to GCHQ and the FLYING PIG program
|
|
\item and Edward Snowden for releasing the document.
|
|
\end{itemize}
|
|
|
|
\includegraphics[scale=0.4]{FlyingPigHeader.png}
|
|
\begin{itemize}
|
|
\item Double edge techniques that can be used for good or bad reasons.
|
|
\item Another opportunity to improve your threat modeling and your weak TLS knowledge.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Passive SSL}
|
|
\begin{itemize}
|
|
\item Replicating Passive DNS concepts into SSL/TLS.
|
|
\item Keeping a history of X.509 certificates seen per IP address.
|
|
\begin{itemize}
|
|
\item Usage over time of the X.509 certificates.
|
|
\end{itemize}
|
|
\item Providing a search ReST interface per IP address, CIDR block.
|
|
\item Tracing the use of CA and CRL/OCSP.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Collecting X.509 Certificates - Internet Scanning}
|
|
\begin{itemize}
|
|
\item Scan the Internet yourself (e.g. In a single scan of the IPv4 space, close to 50 millions certificates).
|
|
\item Which port to scan? protocol or service? pps?
|
|
\item How often? (e.g. weekly scan helps to determine the stability of an IP,Certificate tuple)
|
|
\item Cannot scan, you can reuse existing scanning data (e.g. \url{scans.io}).
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\usetikzlibrary{positioning}
|
|
|
|
\begin{frame}[t,fragile]{Collecting X.509 Certificates - Passive DNS - SNI}
|
|
\begin{itemize}
|
|
\item On a single IPv4 address, you can have more than one certificate.
|
|
\begin{itemize}
|
|
\item Alternate SSL ports, multihomed systems
|
|
\item Other services: SSL-VPN, ESMTP, DTLS, IMAP, ...
|
|
\end{itemize}
|
|
\item How to scan IPv6 address space for X.509 Certificates.
|
|
\item Passive DNS used as a source for SNI (Server Name Indication) value or IPv6 addresses.
|
|
\end{itemize}
|
|
\tikzstyle{block} = [rectangle, draw, fill=green!20, text width=7em, text centered, rounded corners, minimum height=1.5em]
|
|
\tikzstyle{line} = [draw, -latex']
|
|
\begin{center}
|
|
\scalebox{0.6}{
|
|
\begin{tikzpicture}[scale=1, node distance = 1cm and 5mm, auto, edge from parent/.style={->,draw}, >=latex]
|
|
|
|
\node [block, fill=lightgray!20, text=red] (passivedns) {Passive DNS};
|
|
\node [block, right = of passivedns, fill=lightgray!20] (domainextraction) {record fetcher};
|
|
\node [block, below = of domainextraction] (Arecord) {IPv4 - 'A' records};
|
|
\draw [dotted] (domainextraction) -- (Arecord);
|
|
\node [block, below = of Arecord] (AAAArecord) {IPv6 - 'AAAA' records};
|
|
\draw [dotted] (Arecord) -- (AAAArecord);
|
|
\node [block, below = of AAAArecord] (MXrecord) {SMTP - 'MX' records};
|
|
\draw [dotted] (AAAArecord) -- (MXrecord);
|
|
\node [block, right = of MXrecord] (STARTTLS) {STARTTLS scanner};
|
|
\draw (passivedns) -- (domainextraction);
|
|
\node [block, right = of domainextraction, fill=lightgray!20] (scanner) {TLS scanner};
|
|
\draw (MXrecord) -- (STARTTLS);
|
|
\draw (domainextraction) -- (scanner);
|
|
\draw [dotted] (STARTTLS) -- (scanner);
|
|
\end{tikzpicture}}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Collecting X.509 Certificates - Network Interception}
|
|
\begin{itemize}
|
|
\item Tapping a network interface where SSL/TLS handshakes are performed.
|
|
\item TCP reassembly is still hard and finding SSL/TLS handshakes is a complementary problem.
|
|
\item ssldump\footnote{\url{http://www.github.com/adulau/ssldump}}, Suricata, Moloch,...
|
|
\item If you collect SSL/TLS handshakes in your internal network, don't forget the impact of intercepting proxies.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Collecting X.509 Certificates from Tor exit nodes}
|
|
\begin{itemize}
|
|
\item Tor exit nodes traffic is an interesting source of alternative X.509 certificates (e.g. Tor circuits, XMPP sessions, TLS on non-standard ports).
|
|
\item A huge proportion of flows uses TLS which provides a good overview of the most active X.509 certificates (e.g. Google, .vk.com...).
|
|
\item Don't forget, not all the security researchers have good intention (e.g. FLYING PIG).
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Security Perspective of X.509 Certificates}
|
|
\begin{itemize}
|
|
\item Subject Name and Issuer Name can provide a lot of details about the devices, issuers or the overall security practices.
|
|
\begin{itemize}
|
|
\item A lot of X.509 certificates are automatically generated without the users knowledge.
|
|
\item Detailed or sensitive information can leak in the X.509 certificate fields.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\begin{lstlisting}[language=brol]
|
|
4fd64e325ec7a14ac2e34bb5cfed28fef24c3ffb,C=DE, ST=Bavaria, L=Ingolstadt, O=Kaspersky Lab GmbH, OU=Pre-Sales, CN=rdg.klab.it.cx/emailAddress=consulting@kaspersky.de
|
|
dc4a127eae8a47a8041a4ce7f1a214c3e6957cd6,C=RU, ST=Moscow, L=Moscow, O=Kaspersky Lab ZAO, OU=IT, CN=nordnetsync.anti-theft.kaspersky.com
|
|
8a9c839f2ff275c79a985ea84b89bc9fa404d010,C=RU, ST=Moscow, L=Moscow, O=Kaspersky Lab, OU=IT, CN=owa.kaspersky.com
|
|
\end{lstlisting}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Key-size distribution}
|
|
\begin{center}
|
|
\begin{tabular}{ l | c}
|
|
Occurences&Key-size\\ \hline
|
|
181899&1024\\
|
|
143532&2048\\
|
|
4997&512\\
|
|
2845&4096\\
|
|
1467&3072\\
|
|
36&1023\\
|
|
33&256\\
|
|
30&2432\\
|
|
26&768\\
|
|
13&8192\\
|
|
11&2047\\
|
|
10&1536\\
|
|
\end{tabular}
|
|
\end{center}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Key-size and Revocation}
|
|
\includegraphics[scale=0.23]{./images/expired.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{An Overview of Most Common Self-signed Certificates}
|
|
\begin{center}
|
|
\includegraphics[scale=0.25]{./images/SelfSignedCloud.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\colorlet{punct}{red!60!black}
|
|
\definecolor{background}{HTML}{EEEEEE}
|
|
\definecolor{delim}{RGB}{20,105,176}
|
|
\colorlet{numb}{magenta!60!black}
|
|
|
|
\lstdefinelanguage{json}{
|
|
basicstyle=\normalfont\ttfamily,
|
|
numbers=left,
|
|
numberstyle=\scriptsize,
|
|
stepnumber=1,
|
|
numbersep=8pt,
|
|
showstringspaces=false,
|
|
breaklines=true,
|
|
frame=lines,
|
|
backgroundcolor=\color{background},
|
|
literate=
|
|
*{0}{{{\color{numb}0}}}{1}
|
|
{1}{{{\color{numb}1}}}{1}
|
|
{2}{{{\color{numb}2}}}{1}
|
|
{3}{{{\color{numb}3}}}{1}
|
|
{4}{{{\color{numb}4}}}{1}
|
|
{5}{{{\color{numb}5}}}{1}
|
|
{6}{{{\color{numb}6}}}{1}
|
|
{7}{{{\color{numb}7}}}{1}
|
|
{8}{{{\color{numb}8}}}{1}
|
|
{9}{{{\color{numb}9}}}{1}
|
|
{:}{{{\color{punct}{:}}}}{1}
|
|
{,}{{{\color{punct}{,}}}}{1}
|
|
{\{}{{{\color{delim}{\{}}}}{1}
|
|
{\}}{{{\color{delim}{\}}}}}{1}
|
|
{[}{{{\color{delim}{[}}}}{1}
|
|
{]}{{{\color{delim}{]}}}}{1},
|
|
}
|
|
|
|
|
|
\begin{frame}[t,fragile]{Most Common Subject and Org Names in X.509}
|
|
\begin{center}
|
|
\includegraphics[scale=0.20]{./images/SelfSigned.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Dyre malware and SSL fingerprint}
|
|
\begin{itemize}
|
|
\item Dyre malware contains a list of static IP addresses to reach as C\&C. What kind of C\&C?
|
|
\end{itemize}
|
|
\begin{lstlisting}[language=json,firstnumber=1]
|
|
{"5.44.15.70": ["C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT/emailAddress=support@ubnt.com"]}
|
|
{"93.184.71.88": ["C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT/emailAddress=support@ubnt.com"]}
|
|
\end{lstlisting}
|
|
\begin{itemize}
|
|
\item The compromised Ubiquiti routers (with default password) were compromised to proxy SSL connections.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\lstdefinelanguage{brol}{
|
|
basicstyle=\normalfont\ttfamily,
|
|
numbers=left,
|
|
numberstyle=\scriptsize,
|
|
stepnumber=1,
|
|
numbersep=8pt,
|
|
showstringspaces=false,
|
|
breaklines=true,
|
|
frame=lines,
|
|
basicstyle=\tiny,
|
|
backgroundcolor=\color{background},
|
|
}
|
|
|
|
\begin{frame}[t,fragile]{How to find user of a specific software?}
|
|
\begin{itemize}
|
|
\item Who use MobileIron Mobile Device Management? More than 11000 certificates on a two-year period.
|
|
\end{itemize}
|
|
\begin{lstlisting}[language=brol]
|
|
c2ef4df6c7be287f78ae9178d65e8078f253cfb1,C=US, ST=California, L=Sunnyvale, O=MobileIron, OU=Support, CN=ActiveSyncProxyCA/emailAddress=support@mobileiron.com
|
|
5c10590f0e977c15805124ddc00f470383768b10,C=US, ST=California, L=Sunnyvale, O=MobileIron, OU=Support, CN=usslmmdmsecapp004.net.plm.eds.com/emailAddress=support@mobileiron.com
|
|
9ce9edf68ecbf59c746e0d3bbe6d98d72b65fed3,C=US, ST=California, L=Sunnyvale, O=MobileIron, OU=Support, CN=mbx-desat-otn.defdh.astrium.eads.net/emailAddress=support@mobileiron.com
|
|
b47ec8382624035448eebcf15a1cd402425ca661,C=US, ST=California, L=Sunnyvale, O=MobileIron, OU=Support, CN=ActiveSyncProxyCA/emailAddress=support@mobileiron.com
|
|
5190314e4590420e75a2e7b21c74b34255da0806,C=US, ST=California, L=Sunnyvale, O=MobileIron, OU=Support, CN=ats.patrizia.ag/emailAddress=support@mobileiron.com
|
|
\end{lstlisting}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Detecting dynamic IP ranges?}
|
|
\begin{itemize}
|
|
\item SSL/TLS services are often running on dynamic IP ranges. Users use dynamic DNS. Dynamic ranges managed by ISP can be detected and associated users too.
|
|
\end{itemize}
|
|
\begin{lstlisting}[language=brol]
|
|
d53cc7380ed06c8b8ef0163952c9c534afad7ab8,CN=pino007.ath.cx
|
|
92bfef7362de7b381c723a2a352d54d82d49712a,CN=profinance.ath.cx
|
|
2cd0f2033c756222c976b631dba1a95a87aeadf9,CN=kschaub.ath.cx
|
|
c0de4fe83452046c0529b74f6081a39f82907746,CN=fferemote.ath.cx
|
|
b0d04a23ff6da2191d7b78f72352f1196802f61f,CN=hm01-server.Filmhotel.local, CN=localhost, CN=hm01-server, CN=companyweb, CN=filmhotel.ath.cx
|
|
a4b54adb780a5c9ea737399f9492f9f4dafc721d,CN=praxis-drciftci.ath.cx
|
|
77b89a57304256562ebfa42024fa9adeb304ad5a,CN=remote.mandk.ath.cx
|
|
\end{lstlisting}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Popcorn time}
|
|
\begin{lstlisting}[language=brol]
|
|
e4bd71c2e365b61b39d775ba43ef936a4fe9175c,C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=*.*
|
|
1fc3a857a14ca15d3c37fdb2c8b7e0de01e4f0fd,C=IL, ST=Tel Aviv, O=Visonic Ltd., CN=*.*
|
|
397b25c864131bc78aff25622296171d60843318,C=IE, ST=Dublin, O=Fuck SSL Cartels, CN=*.nosmo.me/emailAddress=nosmo@nosmo.me
|
|
\end{lstlisting}
|
|
|
|
\begin{itemize}
|
|
\item We can laugh at everything? Especially with this certificate proposed by 94.242.58.131
|
|
\end{itemize}
|
|
\begin{lstlisting}[language=brol]
|
|
06892001be0854570546b1e609d33a5510290e3b,C=US, ST=California, L=Mountain View, O=GeoTrust Inc., OU=GeoTrust Global CA, CN=*.*
|
|
|
|
Issuer: C=US, ST=California, L=Mountain View, O=GeoTrust Inc., OU=GeoTrust Global CA, CN=*.*
|
|
Validity
|
|
Not Before: May 19 09:54:04 2015 GMT
|
|
Not After : May 16 09:54:04 2025 GMT
|
|
Subject: C=US, ST=California, L=Mountain View, O=GeoTrust Inc., OU=GeoTrust Global CA, CN=*.*
|
|
|
|
\end{lstlisting}
|
|
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[t, fragile]{Conclusion}
|
|
\begin{itemize}
|
|
\item Passive SSL helped us to get in contact with owners of vulnerable or abused systems.
|
|
\item Passive SSL is an ongoing project and you can request access if do incident handling or security research\footnote{\url{https://www.circl.lu/services/passive-ssl/}}.
|
|
\item Weird occurences in dataset lead to additional insights.
|
|
\item Analysing the same dataset with different eyes improved analysis.
|
|
\item Comparing different datasets can be independant verification of facts or proportion.
|
|
\item Information visualisation can be used as a navigation strategy before deep diving.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t, fragile]{Q\&A}
|
|
\begin{itemize}
|
|
\item @blackswanburst - eireann.leverett@cantab.net
|
|
\item @adulau - alexandre.dulaunoy@circl.lu
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|