Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend c2 module to generate malicious JA3 fingerprints #18

Open
tg opened this issue Apr 20, 2020 · 2 comments
Open

Extend c2 module to generate malicious JA3 fingerprints #18

tg opened this issue Apr 20, 2020 · 2 comments
Labels
enhancement New feature or request

Comments

@tg
Copy link
Contributor

tg commented Apr 20, 2020

Worth adding simulator for malicious TLS traffic, i.e. having known bad JA3 or certificate hashes.
@tg tg added the enhancement New feature or request label Apr 20, 2020
@chrisforce1
Copy link
Contributor

This one is a little complex as we'd need to set up servers and negotiate TLS in a particular way to generate JA3 (client) and JA3S (server) fingerprints that are known bad. I'll need to double-check on the certificate side of things, but we won't have the private keys, so that might not work.

@chrisforce1
Copy link
Contributor

We should roll this into the c2 module with synthetic bad JA3 client fingerprints to a server we control that talks TLS (e.g. tls.sandbox.alphasoc.xyz) and we could even reply with a known bad JA3S server fingerprint, but that's not absolutely necessary (i.e. if it's a pain to implement)

@chrisforce1 chrisforce1 changed the title Generate malicious TLS traffic Extend c2 module to generate malicious JA3 fingerprints Jun 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tg @chrisforce1