DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting

Markus, Sosnowski,; Zirngibl, Johannes; Sattler, Patrick; Carle, Georg

doi:10.1007/978-3-031-28486-1_6

Cited by 6 publications

(16 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DissecTLS provided a higher C2 detection precision compared to this work at the cost of sending more requests (24 ch per server on average [20]). Similarly, TLS server debugging tools like testssl.sh [19] or SSLyze [18] dynamically collect data about the TLS servers.…”

Section: S S L Y Z E T E S T S S L S H D I S S E C T L S T L Smentioning

confidence: 88%

“…2 The average number of sent CHs observed in a study on the Tranco top 10k domains published in Ref. [20].…”

Section: S S L Y Z E T E S T S S L S H D I S S E C T L S T L Smentioning

confidence: 99%

“…The only requirement is that servers behave consistently. The related work DissecTLS [20] shows that it is possible to implement such a dynamic scanning approach efficiently enough to use it for large-scale measurements.…”

Section: S S L Y Z E T E S T S S L S H D I S S E C T L S T L Smentioning

confidence: 99%

“…1 This work is an extension of Ref. [10], published in the Network Traffic Measurement and Analysis Conference (TMA) in 2022. Contributions (iii), (iv), and (vi) represent novel additions compared to the previous version.…”

Section: Introductionmentioning

confidence: 97%

“…It is an extension of the study described in Ref. [10], which provides a long-term analysis showcasing the applicability and performance of detection use cases supported by active TLS fingerprinting, along with an assessment of the effectiveness of their data collection.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization

Sosnowski,

Zirngibl,

Sattler

et al. 2024

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Active measurements allow the collection of server characteristics on a large scale that can aid in discovering hidden relations and commonalities among server deployments. Finding these relations opens up new possibilities for clustering and classifying server deployments; for example, identifying a previously unknown cybercriminal infrastructure can be valuable cyber-threat intelligence. In this work, we propose a methodology based on active measurements to acquire Transport Layer Security (TLS) metadata from servers and leverage it for fingerprinting. Our fingerprints capture characteristic behavior of the TLS stack, primarily influenced by the server's implementation, configuration, and hardware support. Using an empirical optimization strategy that maximizes information gained from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos. They served as scanning probes to create an extensive database of TLS configurations to classify servers. We propose the Shannon Entropy to measure collected information and compare different approaches. This study fingerprinted 8 million servers from the Tranco top list and two Command and Control (C2) blocklists over 60 weeks with weekly snapshots. The resulting data formed the foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. Moreover, the detection was finegrained enough to detect C2 server families. The proposed methodology demonstrated a precision of 99% and enabled a stable identification of new servers over time. This study shows how active measurements can provide valuable security-relevant insights and improve our understanding of the Internet.

show abstract

Section: S S L Y Z E T E S T S S L S H D I S S E C T L S T L Smentioning

confidence: 88%

“…2 The average number of sent CHs observed in a study on the Tranco top 10k domains published in Ref. [20].…”

Section: S S L Y Z E T E S T S S L S H D I S S E C T L S T L Smentioning

confidence: 99%

Section: S S L Y Z E T E S T S S L S H D I S S E C T L S T L Smentioning

confidence: 99%

Section: Introductionmentioning

confidence: 97%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization

Sosnowski,

Zirngibl,

Sattler

et al. 2024

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

QUIC Hunter: Finding QUIC Deployments and Identifying Server Libraries Across the Internet

Zirngibl,

Gebauer,

Sattler

et al. 2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Pump Up the JARM: Studying the Evolution of Botnets Using Active TLS Fingerprinting

Papadogiannaki,

Ioannidis

2023

2023 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

The growing adoption of network encryption protocols, like TLS, has altered the scene of monitoring network traffic. With the advent and rapid increase in network encryption mechanisms, typical deep packet inspection systems that monitor network packet payload contents are gradually becoming obsolete, while in the meantime, adversaries abuse the utilization of the TLS protocol to bypass them. In this paper, aiming to understand the botnet ecosystem in the wild, we contact IP addresses known to participate in malicious activities using the JARM tool for active probing. Based on packets acquired from TLS handshakes, server fingerprints are constructed during a time period of 7 months. The fingerprints express servers' responses to a sequence of several ''TLS Client Hello'' messages with different TLS attributes and we investigate if it is feasible to detect suspicious servers and re-identify other similar within blocklists with no prior knowledge of their activities. Based on our study, we can see that fingerprints originating from suspicious servers are repetitive among similarly configured servers. We show that it is important to update fingerprints often or follow a more effective fingerprinting approach, since the overlapping ratio with legitimate servers rises over time.

show abstract

DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting

Cited by 6 publications

References 15 publications

EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization

EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization

QUIC Hunter: Finding QUIC Deployments and Identifying Server Libraries Across the Internet

Pump Up the JARM: Studying the Evolution of Botnets Using Active TLS Fingerprinting

Contact Info

Product

Resources

About