1 Matching Annotations
- Jan 2024
-
old.zeek.org old.zeek.org
-
SSL CertsThreat actors generally use:● The same cert.● The same cert generation tool or algorithm.● Especially if they wrote it.● The same pool of certs.
SSL证书狩猎: 1. why: - 人类的惰性、路径依赖 2. how:<br /> - 不同基础设施使用相同的证书/从证书池中拿 - 证书都使用了相同的生成工具/算法(例如文中提到的MSF自带的证书生成算法,将该算法作为工具特征)
SSH隧道检测: 1. SSH代理转发反弹shell检测: - 正常SSH会话中输入字符:packet length = SSH header + 1 byte char code + padding + HMAC. This could be 36,40,48 bytes or so - SSH隧道代理另一个:packet length = SSH header + [previous SSH pkt] + HMAC. This could be 76, 84, 98 bytes and so on 注:加密块大小和客户端和服务器的HMAC算法+实现。(https://www.trisul.org/blog/traffic-analysis-of-secure-shell-ssh/)
-