Quick-Labs
JA4
JA4SSH

JA4SSH

JA4SSH extends the concept of network traffic fingerprinting to the SSH protocol, allowing for the identification and classification of SSH clients based on their handshake properties. This technique is invaluable for detecting anomalies, recognizing known clients, and identifying malicious behavior attempting to blend into legitimate traffic.

In this comprehensive guide, we will explore the components of a JA4SSH fingerprint, demonstrate how to capture and generate these fingerprints, and discuss how to leverage them for enhanced network security.

Table of Contents

  1. Understanding JA4SSH Components
  2. Capturing and Extracting SSH Handshake Information
  3. Constructing the JA4SSH Fingerprint
  4. Practical Application of JA4SSH Fingerprints
  5. Integration and Tooling
  6. Advanced Usage and Customization
  7. Conclusion

Step 1: Understanding JA4SSH Components

Before diving into capturing and constructing JA4SSH fingerprints, it's essential to understand the components that make up a JA4SSH fingerprint. These elements are extracted from the SSH handshake and reveal key characteristics of the SSH client.

Components of a JA4SSH Fingerprint

  • Protocol Version: Indicates the SSH protocol version, typically SSH-2.0.
  • Software Version String: The client’s software and version, such as OpenSSH_8.4.
  • Supported Key Exchange (KEX) Algorithms: Algorithms the client can use for establishing a shared key, e.g., diffie-hellman-group14-sha256.
  • Supported Host Key Algorithms: Algorithms for server identity verification, e.g., ssh-ed25519, rsa-sha2-256.
  • Supported Encryption Ciphers: Symmetric ciphers supported for session encryption, e.g., aes128-ctr, aes256-gcm@openssh.com.
  • Supported MAC Algorithms: Algorithms for ensuring message integrity, e.g., hmac-sha2-256, umac-128@openssh.com.
  • Supported Compression Algorithms: Methods for compressing session data, e.g., none, zlib.

Step 2: Capturing and Extracting SSH Handshake Information

To generate a JA4SSH fingerprint, we need to capture SSH handshake data. This step involves using network traffic capture tools to obtain the initial packets exchanged during an SSH session setup.

Using Wireshark

  1. Start Capturing: Open Wireshark and select the appropriate network interface.
  2. Apply Filters: Use the capture filter tcp.port == 22 to focus on SSH traffic.
  3. Establish an SSH Connection: Initiate an SSH connection from your client to the target server.
  4. Stop Capture: Once the handshake is complete, stop the capture to avoid unnecessary data.
  5. Analyze Handshake Packets: Look for the initial packets with the SSH protocol version and supported algorithms.

Using Zeek

  1. Set Up Zeek: Configure Zeek to monitor SSH traffic on the desired network interface.
  2. Capture Traffic: Zeek will automatically log SSH connection details in the ssh.log file.
  3. Extract Information: Use custom Zeek scripts to parse the ssh.log and extract the necessary handshake components.
# Zeek script to extract SSH client capabilities
event ssh2_client_banner(c: connection, banner: string)
{
    print fmt("Client: %s, Banner: %s", c$id$orig_h, banner);
}

event ssh2_client_kex(kex: string, hka: string, enc: string, mac: string, comp: string, lang: string, c: connection)
{
    print fmt("KEX: %s, HKA: %s, ENC: %s, MAC: %s, COMP: %s", kex, hka, enc, mac, comp);
}

Using tcpdump

  1. Capture SSH Traffic: Run tcpdump -i <interface> 'tcp port 22' -w ssh_traffic.pcap to capture SSH packets.
  2. Analyze Packets: Use Wireshark or a similar tool to inspect the .pcap file for handshake details.

Step 3: Constructing the JA4SSH Fingerprint

With the handshake components captured, we can construct the JA4SSH fingerprint. This fingerprint uniquely identifies the SSH client based on the properties of its handshake.

Creating the Fingerprint String

Concatenate the extracted components in a structured format. Use the following format:

protocol_version|software_version|kex_algorithms|host_key_algorithms|encryption_ciphers|mac_algorithms|compression_algorithms

Example Fingerprint

For a client with the following properties:

  • Protocol Version: SSH-2.0
  • Software Version: OpenSSH_8.4
  • KEX Algorithms: curve25519-sha256, diffie-hellman-group14-sha256
  • Host Key Algorithms: rsa-sha2-256, ssh-ed25519
  • Encryption Ciphers: aes128-ctr, aes192-ctr, aes256-ctr
  • MAC Algorithms: hmac-sha2-256, umac-128@openssh.com
  • Compression Algorithms: none, zlib

Hashing the Fingerprint (Optional)

The JA4SSH fingerprint would be:

SSH-2.0|OpenSSH_8.4|curve25519-sha256,diffie-hellman-group14-sha256|rsa-sha2-256,ssh-ed25519|aes128-ctr,aes192-ctr,aes256-ctr|hmac-sha2-256,umac-128@openssh.com|none,zlib

For more concise storage and comparison, the fingerprint string can be hashed using SHA-256 or another hash function:

echo -n "SSH-2.0|OpenSSH_8.4|curve25519-sha256,...|none,zlib" | sha256sum

Step 4: Practical Application of JA4SSH Fingerprints

JA4SSH fingerprints are powerful tools for network monitoring, threat detection, and client identification.

Identifying Known Clients

Maintain a database of JA4SSH fingerprints for legitimate clients. Use this database to verify that only authorized clients are accessing your systems.

Detecting Anomalies

Detect deviations from expected SSH client behaviors. For example, if a known server is accessed by a client with an unexpected JA4SSH fingerprint, this could indicate an attempt to evade detection.

Threat Hunting

Use JA4SSH fingerprints to identify known malicious SSH clients or command-and-control servers. Monitor for fingerprints associated with specific attack tools or APT groups.

Forensic Analysis

During an investigation, review historical JA4SSH fingerprints to identify the clients involved in suspicious activities.

Step 5: Integration and Tooling

Integration with SIEM Platforms

Integrate JA4SSH fingerprinting with SIEM platforms like Splunk or Elastic to centralize fingerprint data and correlate it with other security events.

index=network sourcetype=zeek_ssh | stats count by ja4ssh_fingerprint | sort -count

Automating Fingerprint Extraction

Automate the extraction and analysis of JA4SSH fingerprints using tools like Zeek, Suricata, or custom Python scripts.

from scapy.all import sniff
 
def parse_ssh_packet(packet):
    if packet.haslayer(TCP) and packet[TCP].dport == 22:
        # Extract SSH handshake information
        ssh_info = extract_ssh_info(packet)
        print(f"JA4SSH Fingerprint: {ssh_info}")
 
sniff(filter="tcp port 22", prn=parse_ssh_packet)

Integration with IDS/IPS

Use JA4SSH fingerprints in Suricata or Snort rules to detect suspicious SSH activity.

alert tcp any any -> any 22 (msg:"JA4SSH Malicious Fingerprint Detected"; content:"SSH-2.0-"; pcre:"/OpenSSH_8.4/"; sid:1000001; rev:1;)

Step 6: Advanced Usage and Customization

Behavioral Analysis

Analyze JA4SSH fingerprints over time to establish baselines and detect deviations. Use clustering techniques to group similar clients and identify outliers.

Machine Learning Models

Train models on labeled fingerprint data to automate the classification of benign and malicious SSH clients. Use clustering and anomaly detection algorithms to discover new patterns.

Extended Fingerprinting

Incorporate additional SSH attributes, such as the client's preferred authentication methods or connection timings, to create more detailed fingerprints.

Step 7: Conclusion

JA4SSH fingerprinting offers a unique and powerful way to monitor and secure SSH traffic. By understanding and leveraging JA4SSH fingerprints, you can enhance your ability to detect anomalies, identify threats, and ensure the security of your network.

JA4SJA4T