Deep-dive into modern network fingerprinting

Presented at DEF CON 33 (2025), Aug. 9, 2025, 2 p.m. (240 minutes).

In this hands-on workshop you’ll move beyond the theory of network fingerprinting and actually use them in practice at both the TCP and TLS layers. Working in live lab environments, you will: 1. Capture real TLS ClientHello and TCP handshake packets with `muonfp`, `p0f`, `ja3`, `ja3n` and `ja4` 2. Normalize the JA3 into JA3n, overcoming TLS extension shuffle of modern browsers 3. Translate MuonFP fingerprint detections into classic p0f signatures 4. Compile those signatures into BPF and iptables bytecode to dynamically block scanners 5. Detect & block mass-scan traffic from ZMap and Masscan in real time without interrupting any other traffic. 6. Forge your own fingerprints (Windows, Linux, common browsers) with Scapy, then validate that your defenses can’t tell you apart.

Presenters:

• Vlad Iliushin - Researcher at ELLIO
  Vlad is the co-founder and cybersecurity expert at ELLIO and President of the Anti-Malware Testing Standards Organization (AMTSO).A true cybersecurity enthusiast, Vlad’s passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities.

Similar Presentations:

• DeepSec 2019 „Internet of Facts and Fears“ / Overcoming the Limitations of TLS Fingerprinting for Malware Detection
• DerbyCon 8.0 Evolution (2018) / Fingerprinting Encrypted Channels for Detection
• DeepSec 2016 „Ten“ / Systematic Fuzzing and Testing of TLS Libraries