šŸ• Live webcast on Nov. 19: Attack graphs with runZero & BloodHound! Register Now
runZero CAASM

runZero Hour, Ep. 2: Deep dive into Transport Layer Security (TLS)

Overview

Episode 2 of the runZero Hour webcast took a quick survey of new IoT devices that showed up on the network over the holidays at the end of 2023. Did you know that crockpots are now on the network?! We also took a deep dive into Transport Layer Security (TLS). The latter discussion included a look at how fingerprinting is done in general.

There are three primary ways to gather information for fingerprinting: self-identification, attribute-based, and behavior-based. Self-identification is just whatever the target responds with about itself and is typically the first step in asset identification. Itā€™s also the naive method because:

  1. The target service or protocol may not support any form of self-identification.
  2. The ā€œtargetā€ may be an intervening device that may modify or redact that identification.
  3. The target itself may respond with an incorrect identification or not granular enough to be useful.
  4. Sometimes, users can configure services to omit the identification.

The next two are proxy indicators, which allow you to learn something without a full and potentially intrusive examination. For example, eyeglasses are a proxy indicator telling you that someone might have vision impairment even though you didnā€™t perform an eye exam.

With TLS, the client sends a Client Hello with a list of protocols, ciphers, and extensions it supports. In the response, the Server Hello, the server specifies which ones it wants to use. By sending varying combinations of these options and observing which the server has selected, we can learn much about the target TLS stack.

TLS

Finally, there is behavior-based, where the scanner varies its operation at the connection level to elicit tell-tale reactions from the server. Typically, when the client side of a TCP connection unexpectedly terminates, the client OS sends a TCP FIN packetā€“this state is known as a half-close. How does the TLS endpoint respond to half-closes? Interestingly, some versions of OpenSSL do not respond, while others respond with an TLS alert message. Other TLS stacks, such as GnuTLS, may respond with entirely different TLS alert messages. Want to know which version does which? Watch the full to find out and learn additional insights on funky protocols, oddball devices, and more in-depth details about TLS.

Meet Our Speakers

HD Moore

Founder & CEO, runZero

Huxley Barbee

Contributor

Rob King

Director of Applied Research, runZero

Tom Sellers

Principal Research Engineer

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Resources

Webcasts
Fixing a broken system: why legacy vuln management tools canā€™t keep up
Watch the on-demand webcast on the future of exposure management, featuring attacker-driven strategies, continuous visibility, and rapid remediation.
Watch Now
Webcasts
How North Carolina secures Kā€“12 schools with runZero
In this webcast we unpack how runZero supports a statewide exposure management program to protect 343 Public School Units across North Carolina.
Watch Now
Webcasts
runZero Hour, Ep. 23: Beyond the veil with end-of-life OSes
In this episode of runZero Hour Rob King, Tod Beardsley, and captn3m0 (creator of endoflife.date) summon insights from runZeroā€™s latest research...
Watch Now
Webcasts
runZero Hour, Ep. 22: Poking the bear (safely) - our expanded vuln checks
We just added hundreds of new critical remote vulnerability checks to runZero that run safely across all your environments and are way faster than...
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
Ā© Copyright 2025 runZero, Inc. All Rights Reserved