JA4+ is a set of community Fingerprinting strategies which might be straightforward to make use of and simple to share. These strategies are each human and machine readable to facilitate more practical threat-hunting and evaluation. The use-cases for these fingerprints embody scanning for menace actors, malware detection, session hijacking prevention, compliance automation, location monitoring, DDoS detection, grouping of menace actors, reverse shell detection, and lots of extra.
Please learn our blogs for particulars on how JA4+ works, why it really works, and examples of what could be detected/prevented with it:
JA4+ Community Fingerprinting (JA4/S/H/L/X/SSH)
JA4T: TCP Fingerprinting (JA4T/TS/TScan)
To grasp learn JA4+ fingerprints, see Technical Particulars
This repo consists of JA4+ Python, Rust, Zeek and C, as a Wireshark plugin.
JA4/JA4+ help is being added to:
GreyNoise
Hunt
Driftnet
DarkSail
Arkime
GoLang (JA4X)
Suricata
Wireshark
Zeek
nzyme
Netresec’s CapLoader
NetworkMiner“>Netresec’s NetworkMiner
NGINX
F5 BIG-IP
nfdump
ntop’s ntopng
ntop’s nDPI
Workforce Cymru
NetQuest
Censys
Exploit.org’s Netryx
cloudflare.com/bots/ideas/ja3-ja4-fingerprint/”>Cloudflare
fastly
with extra to be introduced…
Examples
| Utility | JA4+ Fingerprints |
|---|---|
| Chrome | JA4=t13d1516h2_8daaf6152771_02713d6af862 (TCP) JA4=q13d0312h3_55b375c5d22e_06cda9e17597 (QUIC) JA4=t13d1517h2_8daaf6152771_b0da82dd1658 (pre-shared key) JA4=t13d1517h2_8daaf6152771_b1ff8ab2d16f (no key) |
| IcedID Malware Dropper | JA4H=ge11cn020000_9ed1ff1f7b03_cd8dafe26982 |
| IcedID Malware | JA4=t13d201100_2b729b4bf6f3_9e7b989ebec8 JA4S=t120300_c030_5e2616a54c73 |
| Sliver Malware | JA4=t13d190900_9dc949149365_97f8aa674fd9 JA4S=t130200_1301_a56c5b993250 JA4X=000000000000_4f24da86fad6_bf0f0589fc03 JA4X=000000000000_7c32fa18c13e_bf0f0589fc03 |
| Cobalt Strike | JA4H=ge11cn060000_4e59edc1297a_4da5efaf0cbd JA4X=2166164053c1_2166164053c1_30d204a01551 |
| SoftEther VPN | JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 (consumer) JA4S=t130200_1302_a56c5b993250 JA4X=d55f458d5a6c_d55f458d5a6c_0fc8c171b6ae |
| Qakbot | JA4X=2bab15409345_af684594efb4_000000000000 |
| Pikabot | JA4X=1a59268f55e5_1a59268f55e5_795797892f9c |
| Darkgate | JA4H=po10nn060000_cdb958d032b0 |
| LummaC2 | JA4H=po11nn050000_d253db9d024b |
| Evilginx | JA4=t13d191000_9dc949149365_e7c285222651 |
| Reverse SSH Shell | JA4SSH=c76s76_c71s59_c0s70 |
| Home windows 10 | JA4T=64240_2-1-3-1-1-4_1460_8 |
| Epson Printer | JA4TScan=28960_2-4-8-1-3_1460_3_1-4-8-16 |
For extra, see ja4plus-mapping.csv
The mapping file is unlicensed and free to make use of. Be happy to do a pull request with any JA4+ knowledge you discover.
Plugins
Binaries
Advisable to have tshark model 4.0.6 or later for full performance. See: https://pkgs.org/search/?q=tshark
Obtain the most recent JA4 binaries from: Releases.
JA4+ on Ubuntu
sudo apt set up tshark
./ja4 [options] [pcap]
JA4+ on Mac
1) Set up Wireshark https://www.wireshark.org/obtain.html which can set up tshark 2) Add tshark to $PATH
ln -s /Functions/Wireshark.app/Contents/MacOS/tshark /usr/native/bin/tshark
./ja4 [options] [pcap]
JA4+ on Home windows
1) Set up Wireshark for Home windows from https://www.wireshark.org/obtain.html which can set up tshark.exe
tshark.exe is on the location the place wireshark is put in, for instance: C:Program FilesWiresharkthsark.exe
2) Add the situation of tshark to your “PATH” surroundings variable in Home windows.
(System properties > Setting Variables… > Edit Path)
3) Open cmd, navigate the ja4 folder
ja4 [options] [pcap]
Database
An official JA4+ database of fingerprints, related functions and advisable detection logic is within the technique of being constructed.
Within the meantime, see ja4plus-mapping.csv
Be happy to do a pull request with any JA4+ knowledge you discover.
JA4+ Particulars
JA4+ is a set of easy but highly effective community fingerprints for a number of protocols which might be each human and machine readable, facilitating improved threat-hunting and safety evaluation. If you’re unfamiliar with community fingerprinting, I encourage you to learn my blogs releasing JA3 right here, JARM right here, and this wonderful weblog by Fastly on the State of TLS Fingerprinting which outlines the historical past of the aforementioned together with their issues. JA4+ brings devoted help, protecting the strategies up-to-date because the business adjustments.
All JA4+ fingerprints have an a_b_c format, delimiting the totally different sections that make up the fingerprint. This enables for looking and detection using simply ab or ac or c solely. If one wished to simply do evaluation on incoming cookies into their app, they might take a look at JA4H_c solely. This new locality-preserving format facilitates deeper and richer evaluation whereas remaining easy, straightforward to make use of, and permitting for extensibility.
For instance; GreyNoise is an web listener that identifies web scanners and is implementing JA4+ into their product. They’ve an actor who scans the web with a continually altering single TLS cipher. This generates a large quantity of utterly totally different JA3 fingerprints however with JA4, solely the b a part of the JA4 fingerprint adjustments, components a and c stay the identical. As such, GreyNoise can monitor the actor by trying on the JA4_ac fingerprint (becoming a member of a+c, dropping b).
Present strategies and implementation particulars:
| Full Identify | Brief Identify | Description | |—|—|—| | JA4 | JA4 | TLS Consumer Fingerprinting
| JA4Server | JA4S | TLS Server Response / Session Fingerprinting | JA4HTTP | JA4H | HTTP Consumer Fingerprinting | JA4Latency | JA4L | Latency Measurment / Mild Distance | JA4X509 | JA4X | X509 TLS Certificates Fingerprinting | JA4SSH | JA4SSH | SSH Site visitors Fingerprinting | JA4TCP | JA4T | TCP Consumer Fingerprinting | JA4TCPServer | JA4TS | TCP Server Response Fingerprinting | JA4TCPScan | JA4TScan | Energetic TCP Fingerprint Scanner
The complete title or brief title can be utilized interchangeably. Extra JA4+ strategies are within the works…
To grasp learn JA4+ fingerprints, see Technical Particulars
Licensing
JA4: TLS Consumer Fingerprinting is open-source, BSD 3-Clause, similar as JA3. FoxIO doesn’t have patent claims and isn’t planning to pursue patent protection for JA4 TLS Consumer Fingerprinting. This enables any firm or software at present using JA3 to instantly improve to JA4 directly.
JA4S, JA4L, JA4H, JA4X, JA4SSH, JA4T, JA4TScan and all future additions, (collectively known as JA4+) are licensed beneath the FoxIO License 1.1. This license is permissive for many use instances, together with for tutorial and inner enterprise functions, however will not be permissive for monetization. If, for instance, an organization want to use JA4+ internally to assist safe their very own firm, that’s permitted. If, for instance, a vendor want to promote JA4+ fingerprinting as a part of their product providing, they would want to request an OEM license from us.
All JA4+ strategies are patent pending.
JA4+ is a trademark of FoxIO
JA4+ can and is being applied into open supply instruments, see the License FAQ for particulars.
This licensing permits us to offer JA4+ to the world in a means that’s open and instantly usable, but additionally gives us with a solution to fund continued help, analysis into new strategies, and the event of the upcoming JA4 Database. We would like everybody to have the power to make the most of JA4+ and are joyful to work with distributors and open supply initiatives to assist make that occur.
ja4plus-mapping.csv will not be included within the above software program licenses and is thereby a license-free file.
Q&A
Q: Why are you sorting the ciphers? Would not the ordering matter?
A: It does however in our analysis we have discovered that functions and libraries select a novel cipher checklist greater than distinctive ordering. This additionally reduces the effectiveness of “cipher stunting,” a tactic of randomizing cipher ordering to stop JA3 detection.
Q: Why are you sorting the extensions?
A: Earlier in 2023, Google up to date Chromium browsers to randomize their extension ordering. Very similar to cipher stunting, this was a tactic to stop JA3 detection and “make the TLS ecosystem extra sturdy to adjustments.” Google was fearful server implementers would assume the Chrome fingerprint would by no means change and find yourself constructing logic round it, which might trigger points each time Google went to replace Chrome.
So I wish to make this clear: JA4 fingerprints will change as utility TLS libraries are up to date, about yearly. Don’t assume fingerprints will stay fixed in an surroundings the place functions are up to date. In any case, sorting the extensions will get round this and including in Signature Algorithms preserves uniqueness.
Q: Would not TLS 1.3 make fingerprinting TLS shoppers more durable?
A: No, it makes it simpler! Since TLS 1.3, shoppers have had a a lot bigger set of extensions and regardless that TLS1.3 solely helps a couple of ciphers, browsers and functions nonetheless help many extra.
JA4+ was created by:
John Althouse, with suggestions from:
Josh Atkins
Jeff Atkinson
Joshua Alexander
W.
Joe Martin
Ben Higgins
Andrew Morris
Chris Ueland
Ben Schofield
Matthias Vallentin
Valeriy Vorotyntsev
Timothy Noel
Gary Lipsky
And engineers working at GreyNoise, Hunt, Google, ExtraHop, F5, Driftnet and others.
Contact John Althouse at [email protected] for licensing and questions.
Copyright (c) 2024, FoxIO