Quick-Labs
JA4
JA4S

JA4Server (JA4S) Fingerprinting Guide

JA4Server (JA4S) extends the concept of client fingerprinting to the server side. It captures attributes from the TLS Server Hello and Server Certificate messages during the initial handshake to create a unique identifier for the server’s response behavior.

Step 1: Understanding JA4S Components

Components of a JA4S Fingerprint:

  • TLS Version: The version of the TLS protocol used by the server in the Server Hello response.
  • Server Chosen Cipher Suite: The specific cipher suite selected by the server for the session.
  • Server Extensions: Extensions supported or required by the server in the Server Hello response.
  • Server Certificate Information: Attributes from the X.509 certificate provided by the server.
  • Supported Elliptic Curves (for TLS 1.2 and earlier): If applicable, the curves supported by the server.
  • Supported Point Formats: Point formats for elliptic curve exchanges supported by the server.

Step 2: Capturing TLS Server Response Traffic

Using Wireshark

  • Open Wireshark and start capturing traffic on the desired interface.
  • Apply a filter: tcp.port == 443 to capture only TLS traffic.
  • Initiate a connection to a secure website or service to generate TLS Server Hello responses.
  • Stop the capture after the handshake is complete.

Using Zeek

  • Configure Zeek to capture traffic on the relevant interface.
  • Use the ssl.log file generated by Zeek to extract TLS Server Hello messages and certificate information.

Using tcpdump

Use tcpdump to capture traffic:

sudo tcpdump -i eth0 port 443 -w tls_server_capture.pcap

This captures all TLS traffic on port 443, including server responses.

Step 3: Extracting TLS Server Hello and Certificate Information

Using Wireshark

  • Open the .pcap file in Wireshark.
  • Locate the Server Hello packet. This is typically the second or third packet in a TLS session, following the Client Hello.
  • Expand the TLS section to view:
    • Version: The TLS version selected by the server.
    • Cipher Suite: The specific cipher suite chosen by the server.
    • Extensions: Supported extensions like renegotiation_info or session_ticket.
  • Locate the Certificate message that follows the Server Hello.
  • Expand the X.509 Certificates section to view:
    • Subject: The subject of the certificate (e.g., CN=example.com).
    • Issuer: The certificate authority that issued the certificate.
    • Validity: Start and end dates of the certificate.
    • Public Key Info: Information about the public key used.

Using Zeek

  • Open the ssl.log file.
  • Identify the server_hello and certificate entries.
  • Extract relevant fields like version, cipher, and cert_chain_fuids.
  • Cross-reference with x509.log to get detailed certificate information.

Using a Python Script

Use the pyshark library to parse the .pcap file programmatically.

import pyshark
 
# Load the capture file
capture = pyshark.FileCapture('tls_server_capture.pcap')
 
for packet in capture:
    if 'tls' in packet:
        tls_layer = packet.tls
        if 'Server Hello' in str(tls_layer):
            # Extract server hello attributes
            version = tls_layer.handshake_version
            cipher_suite = tls_layer.handshake_ciphersuite
            extensions = tls_layer.handshake_extensions
            print(f"Version: {version}")
            print(f"Cipher Suite: {cipher_suite}")
            print(f"Extensions: {extensions}")
 
        if 'Certificate' in str(tls_layer):
            # Extract certificate details
            subject = tls_layer.x509af_subject_dn
            issuer = tls_layer.x509af_issuer_dn
            validity = tls_layer.x509af_validity_not_before + " - " + tls_layer.x509af_validity_not_after
            print(f"Certificate Subject: {subject}")
            print(f"Issuer: {issuer}")
            print(f"Validity: {validity}")

Step 4: Constructing the JA4S Fingerprint

Structure of the JA4S Fingerprint

Combine the components in the following order:

t<tls_version>c<server_cipher_suite>_<hash_of_extensions>_<hash_of_cert_subject>_<hash_of_cert_issuer>

Use a hash function like SHA-256 for extensions and certificate fields to maintain uniqueness.

Example

  • TLS Version: TLS 1.2
  • Server Cipher Suite: 0035
  • Extensions: ff01,000a,000b,000d
  • Certificate Subject: CN=example.com, O=Example Org, C=US
  • Certificate Issuer: CN=Example CA, O=CA Org, C=US

Fingerprint String

t12c0035_1a2f3d4e_5b9c8d3a_7f2d1e4c

Python Code for Generating JA4S Fingerprint

import hashlib
 
# Example data extracted from TLS Server Hello and Certificate
tls_version = "12"
server_cipher_suite = "0035"
extensions = "ff01,000a,000b,000d"
cert_subject = "CN=example.com, O=Example Org, C=US"
cert_issuer = "CN=Example CA, O=CA Org, C=US"
 
# Generate hashes for each component
def generate_hash(component):
    return hashlib.sha256(component.encode()).hexdigest()[:8]
 
# Construct JA4S fingerprint
ja4s_fingerprint = f"t{tls_version}c{server_cipher_suite}_{generate_hash(extensions)}_{generate_hash(cert_subject)}_{generate_hash(cert_issuer)}"
 
print(f"JA4S Fingerprint: {ja4s_fingerprint}")

Step 5: Practical Application of JA4S Fingerprints

Server Identity Verification

  • Use JA4S fingerprints to verify the identity of servers and detect impersonation.
  • Compare fingerprints against known values to ensure legitimate connections.

Malware Detection

  • Identify malicious servers that present known JA4S fingerprints.
  • Monitor for deviations in server behavior, indicating potential compromise.

Certificate Management

  • Use fingerprints to monitor certificate lifecycles and detect expired or untrusted certificates.
  • Automate alerts for invalid or unknown certificates.

Anomaly Detection

  • Track changes in JA4S fingerprints over time to identify unauthorized changes to server configurations.

Step 6: Integration and Tooling

Zeek Integration

  • Use custom scripts to generate JA4S fingerprints from ssl.log and x509.log.
  • Create Zeek event handlers to trigger alerts based on specific fingerprints.

Suricata Integration

  • Use the TLS module in Suricata to extract JA4S attributes.
  • Write rules to monitor and alert on specific server behaviors.

SIEM Integration

  • Feed JA4S fingerprints into SIEM platforms like Splunk.
  • Use dashboards to visualize server fingerprint trends and anomalies.

Automation

  • Automate the process of fingerprint generation and comparison using scheduled scripts.
  • Integrate with orchestration tools for automated response to suspicious fingerprints.

Step 7: Advanced Usage and Customization

Custom Attributes

  • Include additional certificate attributes, such as SAN (Subject Alternative Name) for more granular fingerprints.
  • Use JA4X509 in conjunction with JA4S for enhanced server identity verification.

Machine Learning Models

  • Train models to classify and predict server behavior based on historical JA4S fingerprints.
  • Use anomaly detection models to flag unexpected fingerprint changes.

Enhanced Detection Rules

  • Write complex rules that combine JA4S with client-side JA4 fingerprints to detect specific client-server interactions.
  • Use JA4S fingerprints in conjunction with latency and TCP fingerprints for a multi-dimensional analysis.

Next Steps: Moving to JA4HTTP (JA4H)

With JA4Server (JA4S) covered, we will now move to JA4HTTP (JA4H) for HTTP client fingerprinting. This guide will focus on how to fingerprint HTTP clients based on their request headers and behavior. Let me know if you have any specific areas to emphasize or if there are other topics you'd like to explore further!

JA4HTTPJA4SSH