JA4+ is a suite of network fingerprinting standards

Overview

JA4+ Network Fingerprinting

JA4+ is a suite of network fingerprinting methods that are easy to use and easy to share. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.

Please read this blog post for more details: JA4+ Network Fingerprinting

This repo includes JA4+ scripts in Python as well as Rust Binaries.

JA4+ support is being added to:
GreyNoise
Hunt
Driftnet
Darksail
Arkime
GoLang (JA4X)
with more to be announced...

Examples

Application JA4+ Fingerprints
Chrome JA4=t13d1518h2_8daaf6152771_e5627efa2ab1 (TCP)
JA4=q13d0310h3_55b375c5d22e_cd85d2d88918 (QUIC)
IcedID Malware Dropper JA4H=ge11cn020000_9ed1ff1f7b03_cd8dafe26982
IcedID Malware JA4=t13d201100_2b729b4bf6f3_9e7b989ebec8
JA4S=t120300_c030_5e2616a54c73
Sliver Malware JA4=t13d190900_9dc949149365_97f8aa674fd9
JA4S=t130200_1301_a56c5b993250
JA4X=000000000000_4f24da86fad6_bf0f0589fc03
JA4X=000000000000_7c32fa18c13e_bf0f0589fc03
Cobalt Strike JA4H=ge11cn060000_4e59edc1297a_4da5efaf0cbd
JA4X=2166164053c1_2166164053c1_30d204a01551
SoftEther VPN JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 (client)
JA4S=t130200_1302_a56c5b993250
JA4X=d55f458d5a6c_d55f458d5a6c_0fc8c171b6ae
Evilginx JA4=t13d191000_9dc949149365_e7c285222651
Reverse SSH Shell JA4SSH=c76s76_c71s59_c0s70

Database

An official JA4+ database of fingerprints, associated applications and recommended detection logic is in the process of being built.

JA4+ Details

JA4+ is a set of simple yet powerful network fingerprints for multiple protocols that are both human and machine readable, facilitating improved threat-hunting and security analysis. If you are unfamiliar with network fingerprinting, I encourage you to read my blogs releasing JA3 here, JARM here, and this excellent blog by Fastly on the State of TLS Fingerprinting which outlines the history of the aforementioned along with their problems. JA4+ brings dedicated support, keeping the methods up-to-date as the industry changes.

All JA4+ fingerprints have an a_b_c format, delimiting the different sections that make up the fingerprint. This allows for hunting and detection utilizing just ab or ac or c only. If one wanted to just do analysis on incoming cookies into their app, they would look at JA4H_c only. This new locality-preserving format facilitates deeper and richer analysis while remaining simple, easy to use, and allowing for extensibility.

For example; GreyNoise is an internet listener that identifies internet scanners and is implementing JA4+ into their product. They have an actor who scans the internet with a constantly changing single TLS cipher. This generates a massive amount of completely different JA3 fingerprints but with JA4, only the b part of the JA4 fingerprint changes, parts a and c remain the same. As such, GreyNoise can track the actor by looking at the JA4_ac fingerprint (joining a+c, dropping b).

Current methods and implementation details:
JA4: TLS Client Fingerprinting
JA4S: TLS Server/Session Fingerprinting
JA4H: HTTP Client Fingerprinting
JA4L: Light Distance Locality
JA4X: X509 TLS Certificate Fingerprinting
JA4SSH: SSH Traffic Fingerprinting
Additional JA4+ methods are in the works...

Licensing

JA4: TLS Client Fingerprinting is open-source, BSD 3-Clause, same as JA3. This allows any company or tool currently utilizing JA3 to immediately upgrade to JA4 without delay.

JA4+, which includes JA4S, JA4L, JA4H, JA4X, JA4SSH, and all future additions, are licensed under the FoxIO License 1.1. This license is permissive for most use cases, including for academic and internal business purposes, but is not permissive for monetization. If, for example, a company would like to use JA4+ internally to help secure their own company, then that is permitted. If, for example, a vendor would like to implement JA4+ into one of their products, they would need to purchase an OEM license from us.

Open-source projects can implement JA4+ as long as they reference the FoxIO License as it pertains to JA4+. Projects can achieve this in different ways such as simply adding the license to a NOTICE file that is referenced in the license file, see Arkime as an example. Or by calling JA4+ as a plugin residing within a separate repository.

This licensing allows us to provide JA4+ to the world in a way that is open and easily usable by most, but also provides us with a way to fund continued support, research into new methods, and the development of the upcoming JA4 Database. We want everyone to have the ability to utilize JA4+ and are happy to work with vendors and open-source projects to help make that happen.

Q&A

Q: Why are you sorting the ciphers? Doesn’t the ordering matter?
A: It does but in our research we’ve found that applications and libraries choose a unique cipher list more than unique ordering. This also reduces the effectiveness of “cipher stunting,” a tactic of randomizing cipher ordering to prevent JA3 detection.

Q: Why are you sorting the extensions?
A: Earlier in 2023, Google updated Chromium browsers to randomize their extension ordering. Much like cipher stunting, this was a tactic to prevent JA3 detection and “make the TLS ecosystem more robust to changes.” Google was worried server implementers would assume the Chrome fingerprint would never change and end up building logic around it, which would cause issues whenever Google went to update Chrome.

So I want to make this clear: JA4 fingerprints will change as application TLS libraries are updated, about once a year. Do not assume fingerprints will remain constant in an environment where applications are updated. In any case, sorting the extensions gets around this and adding in Signature Algorithms preserves uniqueness.

Q: Doesn't TLS 1.3 make fingerprinting TLS clients harder?
A: No, it makes it easier! Since TLS 1.3, clients have had a much larger set of extensions and even though TLS1.3 only supports a few ciphers, browsers and applications still support many more.

JA4+ was created by:

John Althouse, with feedback from:

Josh Atkins
Jeff Atkinson
Joshua Alexander
W.
Joe Martin
Ben Higgins
Andrew Morris
Chris Ueland
Ben Schofield
Matthias Vallentin
Valeriy Vorotyntsev
Timothy Noel
Gary Lipsky
And engineers working at GreyNoise, Hunt, Google, ExtraHop, F5, Driftnet and others.

Contact John Althouse at [email protected] for licensing and questions.

You might also like...
Mod for Mega Man Battle Network Legacy Collection to restore the WWW base music in the postgame.

MMBNLC Postgame WWW Base Music mod This is a mod for Mega Man Battle Network Legacy Collection Vol. 2 adjusts the field music played in the WWW base i

🪂 SkyFolder shares your folders on the network!
🪂 SkyFolder shares your folders on the network!

Skyfolder Easily share your files & folders on the network. Security, Simplicity, Style all built in. It's like your own personal Google Drive! Skyfol

Share clipboard between machines on your local network.

Clipshare Do you ever have to work on multiple machines? Do you ever used your Github™ Gists just to send some text between then? Clipshare is here to

A simplified example in Rust of training a neural network and then using it based on the Candle Framework by Hugging Face.

candle-simplified-example A simplified example in Rust of training a neural network and then using it based on the Candle Framework by Hugging Face. H

⚡🚀 Content Delivery Network written in Rustlang, optimized for speed and latency.
⚡🚀 Content Delivery Network written in Rustlang, optimized for speed and latency.

Supported Formats HTML Javscript Css Image PNG JPG JPEG GIF SVG Video MP4 WEBM FLV Audio OGG ACC MP3 Archives ZIP RAR Feeds & Data JSON YAML XML Docum

Passive TCP/IP fingerprinting tool

This tool analyzes first stage of TCP handshake (SYN) and recognize operating system of client Build To build sp0ky, you need to install Rust git clon

Rust implementation of CRC(16, 32, 64) with support of various standards

crc Rust implementation of CRC(16, 32, 64). MSRV is 1.46. Usage Add crc to Cargo.toml [dependencies] crc = "2.0" Compute CRC use crc::{Crc, Algorithm,

OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed this as a Tock OS application and it has been successfull

Rust implementation of CAIP standards

Rust CAIP Standard Utilities Chain Agnostic Improvement Proposals (CAIP) is a set of standards for multi-chain interoperability. CAIP-2: Chain ID use

OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application. We intend to bring a ful

swc is a super-fast compiler written in rust; producing widely-supported javascript from modern standards and typescript.
swc is a super-fast compiler written in rust; producing widely-supported javascript from modern standards and typescript.

Make the web (development) faster. SWC (stands for Speedy Web Compiler) is a super-fast TypeScript / JavaScript compiler written in Rust. It's a libra

A Rust Library of China's Standards of Encryption Algorithms (SM2/3/4)

Libsm Libsm is an open source pure rust library of China Cryptographic Algorithm Standards. It is completed by a collaborative effort between the Cryp

This tool converts Lua code to TS automatically, including the conversion of common standards to their TS equivalents.

lua-to-ts This tool converts Lua code to TS automatically, including the conversion of common standards to their TS equivalents. Code that fails to be

A Rust Implementation of China's Standards of Encryption Algorithms(SM2/SM3/SM4)

gm-rs A Pure Rust High-Performance Implementation of China's Standards of Encryption Algorithms(SM2/SM3/SM4) Usage Add this to your Cargo.toml: [depen

A BASIC language interpreter. Does not conform to existing standards. Mostly a toy.
A BASIC language interpreter. Does not conform to existing standards. Mostly a toy.

JW-Basic A toy language that is somewhat like QBasic. Features: Graphics: 160x96 (255 colors & transparent) Text: 32x16 (4x5 font) Character set: ASCI

An NLP-suite powered by deep learning
An NLP-suite powered by deep learning

DeepFrog - NLP Suite Introduction DeepFrog aims to be a (partial) successor of the Dutch-NLP suite Frog. Whereas the various NLP modules in Frog wre b

Hidden parameters discovery suite

x8 Hidden parameters discovery suite written in Rust. How does it work Features Examples Send parameters via query Send parameters via body Custom tem

Terra development suite

rover Terra development suite Planned features Usage Commands Planned features Includes a starter smart contract, can be cw-template or similar. Has a

A suite of programs for Solana key management and security.
A suite of programs for Solana key management and security.

🔑 goki Goki is a suite of programs for Solana key management and security. It currently features: Goki Smart Wallet: A wallet loosely based on the Se

Comments
  • Linux reference implementation QUIC issues?

    Linux reference implementation QUIC issues?

    I just tried to process various QUIC pcaps with the Linux binary (binaries/linux/ja4) and just got an empty response. For example, for this one:

    $ ./binaries/linux/ja4 chrome-cloudflare-quic-with-secrets.pcapng
    []
    

    Can the binaries you provide handle QUIC? For pcaps with TLS content like HTTP/2, I get proper results. Converting from pcapng to pcap with Wireshark didn't help.

    opened by satta 3
  • rust: Add missing workspace files. Setup CI

    rust: Add missing workspace files. Setup CI

    • Rust sources:
      • Add the top-level Cargo.toml file. The code would not compile without it.
      • Add license headers to each .rs file.
      • Add CHANGELOG.md — it is used by the CI release workflow.
    • Setup GitHub Actions CI:
      • check and test workflows get triggered when a PR is created or the code is pushed to main branch.
      • release workflow runs when a git tag is pushed to the GitHub repository. The workflow compiles Rust binaries and uploads them to a newly created GitHub release page.
    opened by vvv 1
Releases(v0.14.0)
Coppers is a custom test harnass for Rust that measures the energy usage of your test suite.

Coppers Coppers is a test harness for Rust that can measure the evolution of power consumptions of a Rust program between different versions with the

Thijs Raymakers 175 Dec 4, 2022
Holo is a suite of routing protocols designed to support high-scale and automation-driven networks.

Holo is a suite of routing protocols designed to support high-scale and automation-driven networks. For a description of what a routing protocol is, p

Renato Westphal 42 Apr 16, 2023
🦚 A web-app pentesting suite written in rust .

Kanha - A web-app pentesting suite written in rust ?? Installation ⦾ Subcommands ⦾ Contribute Kanha is a tool that can help you perform, a variety of

Nabeen Tiwaree 79 Sep 19, 2023
Zenith - sort of like top or htop but with zoom-able charts, CPU, GPU, network, and disk usage

Zenith - sort of like top or htop but with zoom-able charts, CPU, GPU, network, and disk usage

Benjamin Vaisvil 1.6k Jan 4, 2023
Send copy events over the network

Copiepate Copiepate is a small utility to remotely set the content of a clipboard. I created this tool as I frequently use a remote tmux+vim setup and

Loïc Carr 14 Jun 12, 2022
Generate QR code of your Wi-Fi network

ranpha Generate QR code of your Wi-Fi network. Usage: -p PROTOCOL -s SSID [-k KEY] [-f IMAGE_FORMAT] [-o OUT_DIR] [--size SIZE]

Yuki Okushi 6 Oct 25, 2022
Rollback netcode for Mega Man Battle Network!

Tango Tango is rollback netplay for Mega Man Battle Network. Supported games MEGAMAN6_FXXBR6E: Mega Man Battle Network 6: Cybeast Falzar (US) MEGAMAN6

Tango 68 Dec 31, 2022
Captures packets and streams them to other devices. Built for home network analysis and A&D CTFs.

?? shiny-donut shiny-donut is a packet capture app that supports streaming packets from a remote system to another device. The main use for this is to

Justin Perez 3 Nov 30, 2022
When your network-sense tingles 🚨

HTTP Sense HTTP Sense is a reverse proxy and network monitoring tool that provides comprehensive network monitoring for your backend servers and micro

HTTP Sense 6 Dec 22, 2022
Set of tools that make it easier for the operator to manage a TAPLE network.

⚠️ TAPLE is in early development and should not be used in production ⚠️ TAPLE Tools TAPLE (pronounced T+ ?? ['tapəl]) stands for Tracking (Autonomous

Open Canarias 5 Jan 25, 2023