Quick-Labs
JA4
JA4T

JA4TCP (JA4T)

JA4TCP (JA4T) is a technique for fingerprinting TCP clients based on their packet attributes and TCP options. By analyzing these low-level network characteristics, we can identify different TCP stacks and client behaviors. This is invaluable for detecting anomalies, distinguishing between legitimate and malicious clients, and conducting in-depth forensic analysis.

In this guide, we'll dive deep into JA4T, exploring its components, practical applications, and how to integrate it into your security infrastructure.

Table of Contents

  1. Understanding JA4T Components
  2. Capturing and Extracting TCP Client Information
  3. Parsing and Analyzing TCP Options
  4. Constructing the JA4T Fingerprint
  5. Practical Application of JA4T Fingerprints
  6. Integration and Tooling
  7. Advanced Usage and Customization
  8. JA4L: Light Distance (Update)
  9. Conclusion

Step 1: Understanding JA4T Components

Before diving into the mechanics of JA4T, it's crucial to understand the components that make up a JA4T fingerprint. These elements are extracted from the TCP and IP headers of network packets.

Components of a JA4T Fingerprint

  • TCP Flags: Indicators in the TCP header that signify control messages. Common flags include SYN (synchronize), ACK (acknowledge), FIN (finish), and RST (reset). These flags orchestrate the setup, maintenance, and termination of TCP connections.
  • TCP Options: Optional parameters in the TCP header that enhance performance and functionality. Notable options are:
  • Maximum Segment Size (MSS): Defines the largest segment size the client can receive.
  • Window Scale: Allows for larger window sizes to support high-bandwidth networks.
  • Selective Acknowledgment (SACK): Enables acknowledgment of non-contiguous data, improving efficiency in data transmission.
  • Timestamp: Assists in round-trip time (RTT) calculations and helps prevent sequence number wrapping.
  • Window Size: A flow control mechanism that specifies the amount of data (in bytes) that the receiver is willing to accept.
  • TTL (Time to Live): A field in the IP header that limits the lifespan of a packet. Each router decrements the TTL by one; when it reaches zero, the packet is discarded. This prevents routing loops.
  • IP Header Options: Optional fields in the IP header that can specify additional processing or routing behaviors, such as Record Route, Timestamp, or Security options.

Understanding these components allows us to construct a unique fingerprint that represents a client's TCP/IP stack behavior.

Step 2: Capturing and Extracting TCP Client Information

To generate JA4T fingerprints, we need to capture TCP packets and extract relevant information. There are several tools and methods to achieve this.

Using Wireshark

  1. Start Capturing: Launch Wireshark and select the appropriate network interface to monitor.
  2. Apply Filters: Use the display filter tcp.flags.syn == 1 && tcp.flags.ack == 0 to focus on TCP SYN packets, which initiate connections.
  3. Capture Traffic: Initiate a connection from the client you wish to fingerprint.
  4. Stop Capture: After the TCP handshake, stop the capture to prevent unnecessary data collection.
  5. Analyze Packets: Examine the captured SYN packets to extract TCP options, flags, and other header information.

Using Zeek

  1. Configure Zeek: Set up Zeek to monitor network traffic on the desired interface.
  2. Capture TCP Traffic: Zeek automatically logs TCP connection details in conn.log.
  3. Extract Information: Use Zeek's scripting language to parse conn.log and extract TCP options and flags.
# Zeek script to extract JA4T fingerprint
event zeek_init()
{
        redef record Conn::Info += {
                ja4t_fingerprint: string &default="";
        };
}

event connection_established(c: connection)
{
        # Extract TCP options and compute JA4T fingerprint
        c$conn$info$ja4t_fingerprint = compute_ja4t(c);
}

Using tcpdump

  1. Run tcpdump: Execute tcpdump -i <interface> 'tcp[13] & 2 != 0' to capture SYN packets.
  2. Save Output: Redirect output to a file for later analysis.
  3. Analyze Data: Use tcpdump's verbose output options to view TCP header details.
tcpdump -vvv -nn -i eth0 'tcp[tcpflags] & tcp-syn != 0'

Using Python Script with Scapy

  1. Set Up Environment: Ensure Scapy is installed (pip install scapy).
  2. Write Script: Use Scapy to sniff packets and filter for TCP SYN packets.
from scapy.all import sniff, TCP
 
def packet_callback(packet):
        if packet.haslayer(TCP) and packet[TCP].flags == 'S':
                tcp_options = packet[TCP].options
                window_size = packet[TCP].window
                ttl = packet.ttl
                # Compute JA4T fingerprint
                fingerprint = compute_ja4t(tcp_options, window_size, ttl)
                print(f"JA4T Fingerprint: {fingerprint}")
 
sniff(filter="tcp", prn=packet_callback, store=0)

Step 3: Parsing and Analyzing TCP Options

Once we have captured the packets, the next step is to parse the TCP options to create a unique fingerprint.

Common TCP Options and Their Uses

  • MSS (Maximum Segment Size): Helps in optimizing data flow by preventing fragmentation.
  • Window Scale: Essential for high-bandwidth networks to allow window sizes greater than 65,535 bytes.
  • SACK (Selective Acknowledgment): Improves performance by allowing the retransmission of only missing data segments.
  • Timestamp: Provides better RTT measurements and protects against old duplicate segments.

Extracting and Analyzing Options

  1. Extract Options: Use tools like Wireshark to list the TCP options in the order they appear.
  2. Analyze Sequence: The sequence and values of TCP options can be indicative of specific operating systems or TCP stack implementations.
  3. Create Unique Identifier: By hashing the sequence and values of options, we can generate a unique identifier for the client.

Example:

If a client has options [MSS=1460, SACK_PERM=1, TSval=0, WS=7], this sequence can help identify the client's operating system or application.

Step 4: Constructing the JA4T Fingerprint

With all components at hand, we can now construct the JA4T fingerprint.

Structure of the JA4T Fingerprint

The general format is:

f<tcp_flags>_o<tcp_options_hash>_ws<window_size>_ttl<ttl>_ip<ip_options_hash>
  • f: TCP flags set in the packet (e.g., S for SYN).
  • o: Hash of the ordered TCP options.
  • ws: Window size value.
  • ttl: TTL value from the IP header.
  • ip: Hash of the IP header options (if any).

Example Fingerprint

Let's build a fingerprint step by step.

  • TCP Flags: S (SYN flag is set).
  • TCP Options: [MSS=1460, WS=7, SACK_PERM=1, TS=0].
  • Options Sequence: The order matters. We'll hash this sequence.
  • Options Hash: Let's say the hash is 7a5b6.
  • Window Size: 65535.
  • TTL: 64.
  • IP Options: None (hash is 000).

JA4T Fingerprint:

fS_o7a5b6_ws65535_ttl64_ip000

Customizations

  • Additional Fields: Include initial sequence numbers (isn) or acknowledgment numbers (ack) for more granularity.
  • Hash Functions: Use stronger hash functions like SHA-256 if collisions are a concern.
  • Option Details: Incorporate exact option values instead of hashes for environments where options are consistent and controlled.

Step 5: Practical Application of JA4T Fingerprints

JA4T fingerprints are not just theoretical constructs—they have practical applications in network security and management.

Distinguishing Legitimate Clients

By maintaining a database of JA4T fingerprints associated with known legitimate clients, we can quickly verify if an incoming connection is from an expected source.

Example:

  • Scenario: A corporate network where only company-issued devices should access sensitive servers.
  • Action: Compare incoming JA4T fingerprints against the known list. Any deviation triggers an alert or access denial.

Anomaly Detection

Unexpected changes in JA4T fingerprints can indicate compromised devices or unauthorized access attempts.

Example:

  • Normal Behavior: All clients use a specific set of TCP options.
  • Anomaly: A client connects with a different options sequence, suggesting tampering or the presence of malware.

Threat Hunting

Identify patterns associated with known threats.

Example:

  • Malware Identification: Certain malware may use a non-standard TCP stack, resulting in unique JA4T fingerprints.
  • Action: Monitor for these fingerprints to detect and block malicious activity.

Forensic Analysis

During post-incident investigations, JA4T fingerprints can help trace the activities of specific clients.

Example:

  • Incident: Data exfiltration detected.
  • Analysis: Review historical JA4T fingerprints to identify the client and reconstruct the sequence of events.

Network Monitoring and Performance Tuning

Understanding client TCP behaviors can aid in optimizing network configurations.

Example:

  • Issue: Clients experiencing slow connections.
  • Solution: Analyze JA4T fingerprints to identify suboptimal TCP options (e.g., low window sizes) and adjust configurations accordingly.

Step 6: Integration and Tooling

Integrating JA4T fingerprinting into existing tools enhances their capabilities.

Zeek Integration

Zeek, a powerful network analysis framework, can be extended to process JA4T fingerprints.

  • Custom Scripts: Write Zeek scripts to parse TCP options and generate fingerprints.
  • Event Handling: Use Zeek's event-driven architecture to trigger alerts based on fingerprints.
event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string)
{
        if (is_orig && flags == "S")
        {
                local options = c$tcp$opt;
                local window_size = c$tcp$window;
                local ttl = c$ip$ttl;
                # Compute JA4T fingerprint
                c$conn$info$ja4t_fingerprint = compute_ja4t(options, window_size, ttl);
        }
}

Suricata Integration

Suricata, an open-source IDS/IPS, can utilize JA4T fingerprints for advanced detection.

  • Rule Writing: Create custom Suricata rules that match specific TCP option patterns.
  • Real-Time Alerts: Suricata can generate alerts when a fingerprint associated with malicious activity is detected.
alert tcp any any -> any any (msg:"JA4T Malicious Fingerprint Detected"; flags:S; tcp.hdr_len > 20; content:"|02 04 05 B4|"; offset:20; depth:4; sid:1000001; rev:1;)

SIEM Integration

Feed JA4T fingerprints into SIEM platforms for centralized analysis.

  • Dashboards: Visualize fingerprint data to spot trends and anomalies.
  • Correlation: Combine JA4T data with other logs (e.g., authentication logs) for comprehensive security insights.
index=network sourcetype=zeek_conn | stats count by ja4t_fingerprint | sort -count

Automation

Automate the fingerprint extraction and analysis process.

  • Scheduled Scripts: Run scripts at regular intervals to update fingerprint databases.
  • SOAR Platforms: Integrate with Security Orchestration, Automation, and Response tools to automate responses to detected threats.
import time
from scapy.all import sniff, TCP
 
def analyze_packet(packet):
        if packet.haslayer(TCP) and packet[TCP].flags == 'S':
                tcp_options = packet[TCP].options
                window_size = packet[TCP].window
                ttl = packet.ttl
                # Compute JA4T fingerprint
                fingerprint = compute_ja4t(tcp_options, window_size, ttl)
                # Log or take action based on fingerprint
                log_fingerprint(fingerprint)
 
sniff(filter="tcp[tcpflags] & tcp-syn != 0", prn=analyze_packet)

Step 7: Advanced Usage and Customization

For more nuanced applications, JA4T can be extended and tailored.

Custom Fingerprint Attributes

Enhance fingerprints with additional attributes for deeper analysis.

  • Initial Sequence Number (ISN): Including the ISN can help in detecting spoofed connections.
  • Acknowledgment Numbers: Including acknowledgment numbers can help differentiate between clients with similar configurations.

Example Extended Fingerprint:

fS_o7a5b6_ws65535_ttl64_ip000_isn123456_ack0

Behavioral Analysis

Use fingerprints to build profiles of typical client behavior.

  • Baselining: Establish what 'normal' looks like and alert on deviations.
  • Anomaly Detection: Identify deviations from normal client behavior using statistical methods.

Machine Learning Models

Automate anomaly detection with machine learning.

  • Supervised Learning: Train models on labeled data to classify benign vs. malicious fingerprints.
  • Unsupervised Learning: Use clustering to identify outliers in fingerprint data.

Example Workflow:

  • Data Collection: Gather a large dataset of JA4T fingerprints.
  • Feature Engineering: Extract features such as TCP options, window size, TTL, etc.
  • Model Training: Use algorithms like Random Forest or SVM for classification.
  • Deployment: Integrate the model into your network monitoring system.

Advanced Threat Hunting

Combine JA4T with other network and application fingerprints to create multi-layered detection strategies.

  • Correlation with JA3/JA4: Use JA4T fingerprints alongside JA3 (TLS) or JA4 (HTTP) fingerprints to build comprehensive client profiles.
  • Multi-Protocol Analysis: Correlate JA4T fingerprints with other protocol behaviors (e.g., HTTP headers, TLS options) to detect sophisticated threats.
JA4SSHJA4TS