Monday, June 20, 2022

Using JA3 to find TLS fingerprint

 



In this post we will review how to check TLS fingerprint using the JA3 library by SalesForce.


Transport Layer Security (TLS) fingerprinting is a technique that associates an application and/or TLS library with parameters extracted from a TLS ClientHello by using a database of curated fingerprints, and it can be used to identify malware and vulnerable applications and for general network visibility. 

          from: https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world


To check the fingerprint of connecting client we will do the following:

  • Create a TLS based HTTP server using python
  • Create self signed TLS key for the server
  • Run the server on a GCP VM
  • Capture the incoming traffic to a pcap file
  • Connect to the server using various clients
  • Use JA3 to print the various clients fingerprints


The code to run a TLS based HTTP server is very simple:


import http.server, ssl

server_address = ('0.0.0.0', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
server_side=True,
certfile='s.pem',
ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()


Now we create a self signed TLS key:


openssl req -new -x509 -keyout s.pem -out s.pem -days 365 -nodes


Next, we use GCP to create a new VM with a public IPv4. This allows us to connect to the server from various clients around the world. Note that we need to edit the VM properties and enabled HTTPS connections to the VM. Once the VM is up and running, we run the python code above, and the server is ready.


To use JA3, we need to create a pcap file. Hence we start by listing the interfaces on the VM using the command:


ip link


And then we capture the traffic on the relevant interface:


tcpdump -i ens4 -s 65535 -w a.pcap


We can now connect from various clients, for example: Browsers, curl, python clients on various OS. After the connection, we stop the capturing, and use the following commands to collect the TLS fingerprints:


pip install pyja3
ja3 a.pcap



The output of the JA3 command prints the TLS fingerprints. Notice that it includes both the server fingerprint and the clients fingerprints.



  {
        "destination_ip": "10.128.0.21",
        "destination_port": 443,
        "ja3": "771,4866-4867-4865-4868-49196-49200-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49235-49195-49199-158-49326-49324-49314-49310-49244-49248-49234-49188-49192-107-49267-49271-196-49187-49191-103-49266-49270-190-49162-49172-57-136-49161-49171-51-154-69-49159-49169-49160-49170-22-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-5-10-255,11-10-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2",
        "ja3_digest": "fd20b51c9b799da35cbf66c7b81f7a56",
        "source_ip": "72.195.34.41",
        "source_port": 40983,
        "timestamp": 1654167857.244541
    },
    {
        "destination_ip": "10.128.0.21",
        "destination_port": 443,
        "ja3": "771,4866-4867-4865-4868-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-154-153-69-68-49159-49169-49160-49170-22-19-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-5-10-255,11-10-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2",
        "ja3_digest": "c69dad62b497533e2e02a19470912253",
        "source_ip": "72.221.172.203",
        "source_port": 45675,
        "timestamp": 1654167857.333206
    },
    {
        "destination_ip": "74.125.202.95",
        "destination_port": 443,
        "ja3": "771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10-4865-4867-4866,13172-0-5-10-11-13-65281-16-18-43-51,29-23-24-25,0",
        "ja3_digest": "706ea0b1920182287146b195ad4279a6",
        "source_ip": "10.128.0.21",
        "source_port": 56900,
        "timestamp": 1654167858.61766
    },
    {
        "destination_ip": "10.128.0.21",
        "destination_port": 443,
        "ja3": "771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2",
        "ja3_digest": "004556e859f3c26c5d19746b3a957c74",
        "source_ip": "104.168.87.16",
        "source_port": 34730,
        "timestamp": 1654167859.417917
    },












 

No comments:

Post a Comment