TLS Fingerprinting
Identify client and server that are using encrypted connections
Last updated
Identify client and server that are using encrypted connections
Last updated
Watch a quick demo of creating and exploring the TLSClientHello audit records on the command-line
JA3 is a technique developed by Salesforce, to fingerprint the TLS client and server hellos.
More details can be found in their blog post:
Support for JA3 and JA3S in netcap is implemented via:
The TLSClientHello and TLSServerHello audit records, as well as the DeviceProfiles provide JA3 hashes.
JA3 gathers the decimal values of the bytes for the following fields: SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats.
It then concatenates those values together in order, using a “,” to delimit each field and a “-” to delimit each value in each field.
The field order is as follows:
Example:
If there are no SSL Extensions in the Client Hello, the fields are left empty.
Example:
These strings are then MD5 hashed to produce an easily consumable and shareable 32 character fingerprint.
This is the JA3 SSL Client Fingerprint.
JA3 is a much more effective way to detect malicious activity over SSL than IP or domain based IOCs. Since JA3 detects the client application, it doesn’t matter if malware uses DGA (Domain Generation Algorithms), or different IPs for each C2 host, or even if the malware uses Twitter for C2, JA3 can detect the malware itself based on how it communicates rather than what it communicates to.
JA3 is also an excellent detection mechanism in locked-down environments where only a few specific applications are allowed to be installed. In these types of environments one could build a whitelist of expected applications and then alert on any other JA3 hits.
JA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respond to particular clients.
JA3S uses the following field order:
With JA3S it is possible to fingerprint the entire cryptographic negotiation between client and it's server by combining JA3 + JA3S. That is because servers will respond to different clients differently but will always respond to the same client the same.
For the Trickbot example:
For the Emotet example:
In these malware examples, the command and control server always responds to the malware client in exactly the same way, it does not deviate. So even though the traffic is encrypted and one may not know the command and control server's IPs or domains as they are constantly changing, we can still identify, with reasonable confidence, the malicious communication by fingerprinting the TLS negotiation between client and server. Again, please be aware that these are examples, not indicative of all versions ever, and are intended to illustrate what is possible.
The official python implementation can be found .
For more details on what you can see and do with JA3 and JA3S, please see this Shmoocon 2018 talk:
