├── LICENSE ├── README.md ├── scripts ├── __load__.zeek └── zoom.zeek └── zkg.meta /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2020, benjeems 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Got Zoom ? 2 | - Raises a notice when the Zoom client initially connects. The name of the server included in the notice indicates the authentication method - being Facebook, Google, SSO, or Zoom itself. 3 | - Raises a separate notice when the Zoom client joins a meeting. Only the name of the first meeting server connected to is included in the notice - there may be several meeting servers, each used for different purposes but all associated with the same meeting. 4 | 5 | ## Background 6 | See [https://zeek.org/2020/04/14/got-zoom/](https://zeek.org/2020/04/14/got-zoom/) 7 | 8 | ## Requires 9 | JA3 and JA3S. Errors will occur if you don't have JA3 loaded *prior* to got_zoom. Get JA3 [here](https://github.com/salesforce/ja3 "JA3"). 10 | 11 | ## Logic at a glance 12 | 13 | **Client Login:** 14 | * JA3 of Zoom client AND 15 | * JA3S of Zoom Login Servers AND 16 | * Zoom server_name AND 17 | * Zoom certificate 18 | 19 | **Meeting Join** 20 | * JA3S of Zoom Meeting Server AND 21 | * Zoom server_name AND 22 | * Zoom certificate 23 | 24 | ## Usage 25 | ### Stand alone mode: 26 | Make sure you have JA3 loaded prior got_zoom being loaded, you can do this by editing the commented out line in `scripts/__load__.zeek` to point to your local copy of the JA3 files. 27 | 28 | You can then use got_zoom on your pcap: 29 | ```zeek -Cr your.pcap scripts/__load__.zeek``` 30 | 31 | ### As a package: 32 | To install the package. 33 | ```zkg install .``` 34 | Once again, you must ensure that JA3 is loaded prior to the got_zoom load. 35 | 36 | 37 | ## Tested against 38 | - Zoom 4.6.10 (20041.0408) on OSX 10.15.3 39 | - zeek version 3.2.0-dev.277 40 | 41 | ## Output notice.log 42 | 43 | ### Connection. 44 | In this example the Zoom client is authenticated with Facebook, indicated by a server_name of facebook.zoom.us. 45 | 46 | ` 47 | 1586823459.142204 ChMw6p3tKAfiyHngs3 192.168.13.37 57426 52.202.62.237 443 - - - tcp zoom_TLS::LoggedIn Zoom Client connected to facebook.zoom.us. Only the first connection generates this notice (there may be numerous connections) - 192.168.13.37 52.202.62.237 443 - - Notice::ACTION_LOG 3600.000000 - - - - - 48 | ` 49 | 50 | 51 | ### Meeting traffic. 52 | In this example, the first meeting server connected to is zoomca54150137226zc.zoom.us. There may be many other meeting servers associated with the same meeting which bear similar names. 53 | 54 | `1586498392.012030 CfIPEz2Aj3WAM2g072 192.168.13.37 63350 54.190.137.246 443 - - - tcp zoom_TLS::MeetingJoined Zoom Meeting traffic via a connection to zoomca54150137226zc.zoom.us. Only the first server connection generates this notice. There are often numerous such connections for a single Zoom meeting - 192.168.13.37 54.190.137.246 443 - - Notice::ACTION_LOG 3600.000000 - - - - -` 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /scripts/__load__.zeek: -------------------------------------------------------------------------------- 1 | # Load JA3 here if you need to in stand alone mode. 2 | # Change the path to where JA3 lives in your system 3 | # @load //ja3/zeek/__load__.zeek 4 | @load packages/ja3 5 | @load ./zoom 6 | -------------------------------------------------------------------------------- /scripts/zoom.zeek: -------------------------------------------------------------------------------- 1 | module zoom_TLS; 2 | # This script raises a notice for when: 3 | # 1) Traffic generated when a Zoom client connects 4 | # 2) Traffic generated when a meeting is joined 5 | # Tested against Zoom Version: 4.6.10 (20041.0408) ; zeek version 3.2.0-dev.277 6 | 7 | export { 8 | global zoom_JA3_client_connect: set[string] = set( 9 | "fdf59db13f79da45024018dabda7080d", 10 | "c51de225944b7d58d48c0f99f86ba8e6" 11 | ); 12 | global zoom_JA3S_client_connect: set[string] = set( 13 | "c47ac3dc74b5ef88f4e96e184c552098", 14 | "367b681f4d7aa89f8609c6fe7d1fa774", 15 | "7c9a36ef25ae55e481acdf7c96c1ca15", 16 | "0b8e478e42c89eaa602e5a29af6f639a", 17 | "f6e234011390444c303f74d09d87322d" 18 | ); 19 | # Commented out but left here for reference if required later. 20 | # global zoom_JA3_in_meeting: set[string] = set( 21 | # "8e6eceee7fcf02fec8fd6cbfcb9c4de9" 22 | # ); 23 | global zoom_JA3S_in_meeting: set[string] = set( 24 | "ada793d0f02b028a6c840504edccb652" 25 | ); 26 | 27 | redef enum Notice::Type += { 28 | LoggedIn, 29 | MeetingJoined 30 | }; 31 | } 32 | 33 | event ssl_established(c:connection) 34 | { 35 | local notice_message: string = ""; 36 | 37 | if (c$ssl$ja3 in zoom_JA3_client_connect && c$ssl$ja3s in zoom_JA3S_client_connect && 38 | /\.zoom\.us$/ in c$ssl$server_name && 39 | /^CN\=\*\.zoom\./ in c$ssl$cert_chain[0]$x509$certificate$subject) 40 | { 41 | # print "You Got Zoom Client running"; 42 | notice_message = fmt("Zoom Client connected to %s. Only the first connection generates this notice (there may be numerous connections)", c$ssl$server_name); 43 | NOTICE([$note=LoggedIn, 44 | $conn=c, 45 | $identifier=cat(c$id$orig_h), 46 | $sub=c$ssl$server_name, 47 | $msg=notice_message]); 48 | return; 49 | } 50 | # Note that the JA3 (stored for reference in set zoom_JA3_in_meeting), is not used here. 51 | # This should make for more resilience to variations in client flavours. 52 | if (c$ssl$ja3s in zoom_JA3S_in_meeting && 53 | /\.zoom\.us$/ in c$ssl$server_name && 54 | /^CN\=\*\.zoom\./ in c$ssl$cert_chain[0]$x509$certificate$subject) 55 | { 56 | # print "You Got a Zoom Video/Audio session"; 57 | notice_message = fmt("Zoom Meeting traffic to %s. Only the first meeting connection generates this notice (there are often numerous such connections for a single Zoom meeting)", c$ssl$server_name); 58 | NOTICE([$note=MeetingJoined, 59 | $conn=c, 60 | $identifier=cat(c$id$orig_h), 61 | $sub=c$ssl$server_name, 62 | $msg=notice_message]); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /zkg.meta: -------------------------------------------------------------------------------- 1 | [package] 2 | description = Detect Zoom traffic 3 | tags = TLS, SSL, JA3, Video conferencing, Video, Videoconferencing, Remote working, Zoom 4 | version = 0.1 5 | script_dir = scripts 6 | depends = 7 | bro >=2.5.5 8 | ja3 * 9 | --------------------------------------------------------------------------------