如何使用ja进行dom操作_使用ja3和hassh在网络上发现恶意

最新推荐文章于 2024-08-13 23:24:39 发布

weixin_26636643

最新推荐文章于 2024-08-13 23:24:39 发布

阅读量1k

点赞数

文章标签： java python linux 网络 leetcode

原文链接：https://engineering.salesforce.com/finding-evil-on-the-network-using-ja3-s-and-hassh-11431a8606e4

版权

如何使用ja进行dom操作

John Althouse, Director of Threat Detection, Salesforce

Salesforce威胁检测总监John Althouse

Network threat detection is a moving target. Those of us in the threat detection corner of the security universe are always on the lookout for better ways to identify and prevent “evil on the network.” With JA3/S and HASSH detecting malicious encrypted channels on the network can be, in some cases, exceedingly easy.

网络威胁检测是一个移动的目标。我们这些身处安全领域威胁检测角落的人们一直在寻找更好的方法来识别和防止“网络上的邪恶”。与JA3 / S和HASSH检测恶意加密通道上的网络可以是，在某些情况下，非常容易。

Recently, I held a tech talk titled Finding Evil on the Network Using JA3/S and HASSH. This blog is a very high-level overview of that talk, so you can decide without spending too much time whether it’s something you’d be interested in watching. I also have a more detailed blog on the subject with code samples that you can find here.

最近，我举行了一次技术讲座 使用JA3 / S和HASSH在网络上发现邪恶 。该博客是该演讲的高级概述，因此您可以在不花费太多时间的情况下决定是否有兴趣观看。我也有一个有关该主题的更详细的博客，其中包含代码示例，您可以在这里找到。

The JA3 Standard

JA3标准

JA3 is a standard for creating secure sockets layer/transport layer security (SSL/TLS) client fingerprints in an easy to produce and shareable way. The primary concept for fingerprinting TLS clients came from Lee Brotherston’s 2015 research and his DerbyCon talk. If it weren’t for Lee’s research and the open sourcing of it, we wouldn’t have started work on JA3. JA3 was created by John Althouse, Jeff Atkinson, and Josh Atkins.

JA3是用于以易于生产和共享的方式创建安全套接字层/传输层安全性(SSL / TLS)客户端指纹的标准。对TLS客户端进行指纹识别的主要概念来自Lee Brotherston在2015年的研究以及他的DerbyCon演讲。如果不是为了Lee的研究和它的开源，我们就不会开始从事JA3的工作。 JA3由John Althouse，Jeff Atkinson和Josh Atkins创建。

TLS and its predecessor, SSL, are used to encrypt communication by common applications, to keep data secure, and by malware, so it can hide in the noise. To initiate a TLS session, a client sends a TLS Client Hello packet following the TCP 3-way handshake. This packet and the way in which it is generated are dependent on packages and methods used when building the client application.

TLS及其前身SSL用于对常见应用程序的通信进行加密，以确保数据和恶意软件的安全，因此它可以隐藏在噪音中。为了启动TLS会话，客户端在TCP三向握手之后发送TLS客户端Hello数据包。该数据包及其生成方式取决于构建客户端应用程序时使用的软件包和方法。

If accepting TLS connections, the server will respond with a TLS Server Hello packet, which is formulated from server-side libraries and configurations as well as details in the Client Hello. Because TLS negotiations are transmitted in the clear (unencrypted), it’s possible to fingerprint and identify client applications using the details in the TLS Client Hello packet.

如果接受TLS连接，则服务器将以TLS服务器Hello数据包作为响应，该数据包由服务器端库和配置以及客户端Hello中的详细信息组成。由于TLS协商以明文方式(未加密)进行传输，因此可以使用TLS客户端Hello数据包中的详细信息来指纹识别和识别客户端应用程序。

The JA3 method gathers the decimal values of the bytes for the following fields in the Client Hello packet: Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. It then concatenates those values using a “,” to delimit each field and a “-” to delimit each value in each field. It then hashes the string into an easily consumable and shareable fingerprint.

JA3方法收集Client Hello数据包中以下字段的字节的十进制值：版本，接受的密码，扩展名列表，椭圆曲线和椭圆曲线格式。然后，使用“，”分隔每个字段，使用“-”分隔每个字段中的每个值，将这些值连接起来。然后，它将字符串散列为易于消耗和共享的指纹。

We hash the fingerprint string because there’s no limit to how many ciphers or extensions can be added to the Client or Server Hello. Our rule of thumb is that if the fingerprint cannot fit in a tweet, it’s too long. We also hash the JA3 fingerprint so it can be more easily integrated into existing technologies.

我们对指纹字符串进行哈希处理是因为可以向客户端或服务器Hello添加多少个密码或扩展名没有限制。我们的经验法则是，如果指纹不能放入推文中，则它太长。我们还对JA3指纹进行哈希处理，以便可以更轻松地将其集成到现有技术中。

The JA3S Standard

JA3S标准

After creating JA3 we started playing with the same method to fingerprint the server side of the TLS handshake — the TLS Server Hello message. The JA3S method gathers the decimal values of the bytes for these fields in the Server Hello packet: Version, Accepted Cipher, and List of Extensions. It concatenates and hashes those values in the same way JA3 does on the client side.

创建JA3之后，我们开始使用相同的方法来对TLS握手的服务器端进行指纹识别-TLS服务器Hello消息。 JA3S方法收集服务器Hello数据包中这些字段的字节的十进制值：版本，接受的密码和扩展列表。它以与JA3在客户端相同的方式连接和散列这些值。

Working on JA3S, we found the same server will generate its Server Hello message differently depending on the Client Hello message and its contents. It’s not possible to fingerprint a server based only on its Hello message as we could with clients and JA3. Nevertheless, we learned that although servers will respond to different clients differently, they always respond to the same client in the same way. This allows us to identify particular TLS clients and TLS flows with much greater fidelity.

在JA3S上工作时，我们发现同一服务器将根据客户端Hello消息及其内容来不同地生成其Server Hello消息。我们不可能像客户端和JA3一样仅基于服务器的Hello消息对服务器进行指纹识别。尽管如此，我们了解到，尽管服务器对不同客户端的响应不同，但它们始终以相同的方式响应相同的客户端。这使我们能够识别特定的TLS客户端和TLS流，其保真度更高。

I go into all of this much more deeply in the tech talk, covering:

我将在技术演讲中更深入地探讨所有这些内容，其中包括：