search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.21k stars 13.99k forks source link

[Meterpreter] TLS fingerprinting (JA3) #13013

Closed ShellCode33 closed 4 years ago

ShellCode33 commented 4 years ago

Hi ! I was reading about TLS fingerprinting to detect Meterpreter's traffic and I came across JA3.

First, do you have any idea if that kind of fingerprinting is often used by IDS or antivirus software ?

I'm looking for a way to randomize those TLS "features" to evade potential IDS but I haven't been able to find anything in the framework to do such thing. What would it take to implement such behavior ? A plugin as described here ?

(Sorry for not using the issue template, but I don't think it would have been relevant here)

ShellCode33 commented 4 years ago

JA3 gathers the decimal values of the bytes for the following fields in the Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats.

On the meterpreter side, it looks like SSL (TLS?) is configured here, and according to SSLContext documentation, the following attributes can be set :

On the handler side (I guess it depends if we're talking bind or reverse), to fingerprint the server, JA3 relies on those fields : SSLVersion,Cipher,SSLExtension, but I haven't been able to find where it could be set in the code, I'm not used to read Ruby :/

This is probably a very marginal technique, maybe nobody does that kind of fingerprinting, but it doesn't cost much to randomize a few fields in SSL/TLS configuration in order to improve stealthiness a bit more.

dumprop commented 4 years ago

First, do you have any idea if that kind of fingerprinting is often used by IDS or antivirus software ?

Usually, with a good configuration, IDS should detect network activity of meterpreter (for that there provided JA3 fingerprints). AFAIK cisco talos have many IDS signatures for detecting payloads of metasploit, you can check them

Antivirus usually checks file signatures (not ja3 fingerprints), there may help some packing tools Different systems have different detection methods (probably your IP in blocklist -> you are detected, but bypassed all signatures/fingerprints)

There in article said "Please note that this rules will not detect the meterpreter shell if a custom or valid certificate is provided during the payload generation with msfvenom" Did you checked paranoid mode? There described generation of custom SSL/TLS certificate, probably it will help you or what exactly you need to bypass?

github-actions[bot] commented 4 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 4 years ago

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.