Advanced-Labs
JA4HTTP Lab

Step 1: Capturing Traffic with Wireshark for JA4H

Objective: Capture TLS traffic in Wireshark and extract JA4H fingerprints (which cover both Client Hello and Server Hello messages).

Open Wireshark:

  1. Launch Wireshark and choose the network interface you wish to monitor (e.g., Wi-Fi, Ethernet, or a specific VPN interface).

Set Filter for TLS Handshakes:

  1. To capture only the TLS handshake messages that are relevant for JA4H fingerprinting, set the following capture filter:

    tls.handshake.type == 1 || tls.handshake.type == 2

    This filter ensures you only see Client Hello and Server Hello packets, which are essential for computing the full JA4H fingerprint.

Start Capturing:

  1. Begin capturing the traffic by clicking the Start Capture button (blue fin icon) at the top of Wireshark. Wireshark will start capturing and displaying traffic, filtering for handshake packets that fit the criteria.

Stop Capture:

  1. Once you’ve captured enough traffic (typically after observing some Client/Server Hello exchanges), click the Stop Capture button (red square).

Analyze JA4H Fingerprint:

  1. Select a Client Hello packet from the list. In the Packet Details Pane, expand the Transport Layer Security (TLS) layer and look for the JA4H fingerprint field. Wireshark’s JA4 plugin should calculate the fingerprint, combining the Client and Server Hello.

    Example JA4H fingerprint:

    ge11cr12enus_5ade4afeec07_b10ab4807dca_16ecf81388fa

    This fingerprint uniquely represents the handshake, including specific details like TLS version, cipher suites, and extensions exchanged.

Save Captured Traffic as PCAP:

  1. Go to File > Export Specified Packets and save the captured traffic as a PCAP file. Name the file something recognizable like tls-handshake-ja4h.pcap.

Step 2: Import the PCAP into Arkime for Further Analysis

Objective: Load the PCAP into Arkime for deeper analysis of connections and TLS details, including JA4H fingerprints.

Set Up Arkime:

  1. If Arkime isn’t already set up, follow the installation instructions on the Arkime website. Ensure Arkime is running, and that you can access it via its web interface (typically hosted at http://localhost:8005).

Upload PCAP File to Arkime:

  1. In the Arkime web interface, navigate to the Upload section. Select your previously saved PCAP file (tls-handshake-ja4h.pcap) and upload it to Arkime. Arkime will start processing the traffic and index the metadata, allowing you to search and analyze the packets.

Search for JA4H Fingerprints:

  1. In the Search tab, you can use search filters to find packets based on JA4H fingerprints or related handshake information.

    Example search query to find TLS handshakes:

    tls && ja4h == ge11cr12enus_5ade4afeec07_b10ab4807dca_16ecf81388fa

    This will return any packets matching that specific JA4H fingerprint, allowing you to track sessions or anomalies.

Analyze the Results:

  1. Explore each connection in detail. Arkime will show you the client IPs, server IPs, timestamps, and the full session information. Look for unusual or unknown servers in the handshake, or investigate key reuse or non-standard cipher suite usage.

Step 3: Extract Images with Driftnet

Objective: Use Driftnet to capture and display any images being transmitted over the network.

Install Driftnet:

  1. On a Linux machine (or any system supporting Driftnet), install it using the package manager.

    sudo apt-get install driftnet

    This tool will monitor network traffic and extract images, which is useful for visually inspecting web traffic, especially when combined with JA4H analysis.

Run Driftnet on Live Traffic:

  1. Driftnet works by listening to the network interface for HTTP/HTTPS traffic. Start Driftnet and point it to your interface (e.g., eth0 for Ethernet):

    sudo driftnet -i eth0

    This command will capture and display images being transferred over HTTP or decrypted HTTPS traffic.

Analyze Extracted Images:

  1. As images are extracted from the network traffic, they will display in real-time. Use this to identify suspicious images that might be related to malicious behavior or unauthorized traffic. Correlate this with the JA4H fingerprints from Arkime to see if the images are part of any suspicious TLS connections.

Step 4: Correlate Data Between Arkime and Driftnet

Objective: Combine the insights from Arkime (for session and handshake analysis) with Driftnet (for image content extraction).

Cross-Reference Traffic Sessions:

  1. Look at the session details in Arkime for any connections with suspicious JA4H fingerprints or unknown servers. Use the timestamps and session IDs to match these connections with the image data captured by Driftnet.

Check for Suspicious Activity:

  1. If Arkime shows connections to unusual or suspicious domains (e.g., malware control servers), see if Driftnet captured any images transmitted over those connections. Check if any malicious images or phishing content was transmitted within these sessions.

Step 5: Take Action Based on Analysis

Objective: Use the findings from Arkime and Driftnet to secure your network.

Flag Malicious Connections:

  1. Based on the results from Arkime’s JA4H analysis and Driftnet’s image extraction, you can block suspicious IP addresses or domains at your firewall. Report any JA4H fingerprints associated with malicious servers to the appropriate threat intelligence databases or update your SIEM system to track these fingerprints.

Continuous Monitoring:

  1. Set up automated alerts in Arkime for specific JA4H fingerprints, allowing you to continuously monitor for unusual or unauthorized traffic. Automate Driftnet to alert when specific image content (such as known malware images) is detected.

Summary

  • Wireshark: Captures TLS handshakes and computes JA4H fingerprints. Export this traffic as PCAP for deeper analysis.
  • Arkime: Allows detailed analysis of the uploaded PCAP, including searching by JA4H fingerprints and understanding the entire TLS session.
  • Driftnet: Extracts images from network traffic, useful for correlating visual content with the TLS connections analyzed in Arkime.

Step-by-Step Review

  1. Capture traffic in Wireshark using TLS handshake filters and save the traffic as a PCAP file.
  2. Upload the PCAP to Arkime, then search for specific JA4H fingerprints or anomalies in TLS traffic.
  3. Use Driftnet to extract images from network traffic and correlate the image content with the suspicious connections found in Arkime.
  4. Take action by blocking or reporting malicious servers and continuously monitor using automated alerts in Arkime.
Advanced Labs OverviewBlog