Quick-Labs
JA4
JA4TScan

Components of a JA4TScan Fingerprint

TCP Flags Sent

Define the control bits set in the TCP header, such as SYN, ACK, FIN, RST, PSH, URG, ECE, and CWR.

Example:

  • SYN (S): Initiates a connection.
  • FIN (F): Requests to terminate the connection.
  • ACK (A): Acknowledges the receipt of data.
  • RST (R): Resets the connection.

TCP Options Sent

Define the optional settings included in TCP packets, such as Maximum Segment Size (MSS), Window Scale (WS), Selective Acknowledgment (SACK), and Timestamp.

Example:

  • MSS=1460: Sets the maximum segment size to 1460 bytes.
  • WS=7: Sets the window scale factor to 7.
  • SACK_PERM=1: Enables Selective Acknowledgment.
  • TS=0: No timestamp option included.

Responses Received

Analyze the types of responses from the target, such as SYN-ACK, RST, ICMP Host Unreachable, or no response.

Example:

  • SYN-ACK: Indicates an open port.
  • RST: Indicates a closed port.
  • No Response: May indicate a filtered port.

Response TCP Options

TCP options returned in responses, such as different MSS values or altered Window Scale settings.

Example:

  • Target responds with MSS=1380, indicating a different segment size.
  • WS=0: No window scaling applied.

Response Timing and Window Size

The timing and size of responses can provide clues about the operating system and network configuration.

Example:

  • A response time of 50 ms vs. 200 ms could indicate different network paths or processing delays.
  • A window size of 65535 suggests the target may be using a default TCP stack configuration.

Step 2: Setting Up and Conducting Active TCP Scans

Using Nmap for Active Scanning

SYN Scan (-sS)

Sends SYN packets to detect open ports without completing the TCP handshake.

Command:

nmap -sS -p 80,443 192.168.1.1

Example Output:

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp open   https

ACK Scan (-sA)

Used to map out firewall rules by determining whether packets are filtered.

Command:

nmap -sA -p 22,23 192.168.1.1

Example Output:

PORT    STATE       SERVICE
22/tcp  unfiltered  ssh
23/tcp  filtered    telnet

Using Scapy for Custom Packet Crafting

Craft a SYN Packet

Create a custom SYN packet and send it to a target.

Python Script:

from scapy.all import *
syn_packet = IP(dst="192.168.1.1") / TCP(dport=80, flags="S")
send(syn_packet)

Expected Response: A SYN-ACK response indicates an open port, while a RST response indicates a closed port.

Craft a FIN Scan

Send a FIN packet to test for unconventional responses from a target.

Python Script:

fin_packet = IP(dst="192.168.1.1") / TCP(dport=80, flags="F")
send(fin_packet)

Using Masscan for High-Speed Scanning

Basic Masscan Command

Scan an entire subnet for open ports quickly.

Command:

masscan -p80,443 192.168.1.0/24 --rate 10000

Example Output:

Discovered open port 80/tcp on 192.168.1.5
Discovered open port 443/tcp on 192.168.1.8

Using hping for Custom TCP Scans

Custom SYN Scan

Send SYN packets with a custom window size and TTL value.

Command:

hping3 -S -p 80 -c 3 -w 1024 -ttl 64 192.168.1.1

Example Output:

len=46 ip=192.168.1.1 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.2 ms

Step 3: Analyzing and Parsing Scan Responses

Interpreting Common Responses

SYN-ACK

Indicates the port is open and the service is accepting connections.

Example:

len=46 ip=192.168.1.1 ttl=64 flags=SA sport=80 win=29200

RST-ACK

Indicates the port is closed and the service is rejecting connections.

Example:

len=46 ip=192.168.1.1 ttl=64 flags=RA sport=80 win=0

No Response

Indicates the port may be filtered by a firewall.

Example: No output or responses to multiple SYN packets sent.

ICMP Host Unreachable

Indicates the target host is unreachable.

Example:

len=92 ip=192.168.1.1 icmp=3 host-unreachable

Extracting TCP Options from Responses

Using Wireshark

Capture packets and view TCP options in the packet details.

Steps:

  1. Start capturing on the desired network interface.
  2. Filter for tcp traffic.
  3. Select a packet and expand the Transmission Control Protocol section.
  4. View options like MSS, Window Scale, and SACK.

Using Scapy

Extract TCP options programmatically.

Python Script:

from scapy.all import *
packets = sniff(filter="tcp", count=10)
for packet in packets:
    if TCP in packet:
        print(packet[TCP].options)

Timing Analysis

Measure Response Times

Compare response times for different types of scans to assess network latency and possible filtering.

Example:

  • SYN scan response time: 50 ms.
  • ACK scan response time: 120 ms.

Network Delays vs. Processing Delays

Identify whether delays are due to network congestion or firewall processing.

Parsing Responses with Nmap

Use Nmap Scripts

Parse responses using built-in scripts like os-fingerprint.

Command:

nmap -O 192.168.1.1

Example Output:

OS details: Linux 2.6.32 - 4.8 (90%)

Step 4: Constructing the JA4TScan Fingerprint

Structure of the JA4TScan Fingerprint

Combining Components

Include TCP flags, response types, TCP options, window size, TTL, and timing.

Example Fingerprint:

  • TCP Flags Sent: S (SYN)
  • Response Type: SA (SYN-ACK)
  • TCP Options: MSS=1460, WS=7, SACK_PERM=1, TS=0
  • Window Size: 65535
  • TTL: 64
  • Timing: 100 ms

Hash Function

Use a hash function to uniquely identify fingerprints.

Example:

import hashlib
fingerprint = "S-SA-MSS1460-WS7-SACK1-TS0-W65535-TTL64-T100"
fingerprint_hash = hashlib.md5(fingerprint.encode()).hexdigest()
print(fingerprint_hash)

Customizations

Add Sequence Numbers

Include initial sequence and acknowledgment numbers for deeper analysis.

Customize Hash Length

Adjust the hash length for different levels of detail.

Step 5: Practical Application of JA4TScan Fingerprints

Network Reconnaissance

Identifying Hosts and Services

Use fingerprints to identify hosts and services in a network.

Example: Detect an IIS web server based on the fingerprint S-SA-MSS1460-WS8-T128.

Identifying Operating Systems

Match fingerprints to known OS signatures.

Example: Linux hosts often respond with WS=0 and MSS=1460.

Service and Version Detection

Identifying Specific Services

Match service behaviors to known fingerprints.

Example: Apache HTTP server might use a specific MSS value and window size.

Detecting Vulnerable Versions

Use fingerprint deviations to identify outdated or vulnerable versions.

Example: Old versions of OpenSSL may use different TCP options than the latest.

Threat Hunting

Detect Known Malicious Fingerprints

Compare incoming traffic to a database of known attack tool fingerprints.

Example: A fingerprint associated with a Metasploit scan.

Identifying Scanning Tools

Recognize tools like Nmap or Masscan based on their unique scanning patterns.

Firewall and IDS Evasion

Test Evasion Techniques

Use crafted fingerprints to bypass firewall or IDS rules.

Example: Use low TTL values to evade stateful firewalls.

Evaluate Detection Rules

Test how different configurations affect detection rates.

Forensic Analysis

Analyze Historical Data

Use fingerprints to track attacker movements over time.

Example: Trace the same fingerprint to different IPs, indicating a botnet.

Investigate Anomalies

Look for unusual fingerprints that deviate from expected norms.

Step 6: Integration and Tooling

Nmap Integration

Using NSE Scripts

Automate fingerprint extraction with custom scripts.

Example Script: ja4t_fingerprint.nse to parse and log fingerprints.

Example Command

nmap --script ja4t_fingerprint -p 80,443 192.168.1.1

Masscan Integration

Large-Scale Scanning

Use Masscan for broad scans and import results for fingerprint analysis.

Example Command:

masscan -p80,443 192.168.1.0/24 -oX masscan_results.xml

Post-Processing

Parse Masscan output to generate JA4TScan fingerprints.

Scapy Integration

Customized Fingerprinting

Use Scapy to create highly customized fingerprints for specific use cases.

Example: Craft packets with unique TCP options to test detection.

Automated Scripts

Build Python scripts to automate scans and log fingerprints.

SIEM Integration

Feeding Data into SIEMs

Integrate with Splunk or ELK to monitor for known fingerprints.

Example Log Entry: JA4TScan alert: fingerprint S-SA-MSS1460-WS8-W65535 detected from 192.168.1.5.

Real-Time Alerts

Trigger alerts when malicious fingerprints are detected.

Automation

Scheduled Scans

Use cron jobs to automate regular network scans.

Example Cron Job:

0 2 * * * nmap -sS -p 80,443 192.168.1.0/24 --script ja4t_fingerprint

Auto-Response

Implement scripts to block IPs based on fingerprint detection.

Step 7: Advanced Usage and Customization

Custom Fingerprint Attributes

Extended Fingerprints

Include extra attributes like IP ID sequences, TTL variance, and DF (Don’t Fragment) flags.

Example: S-SA-MSS1460-WS7-SACK1-TS0-DF-W65535-T64-ID12345

Behavioral Analysis

Client and Server Profiles

Build detailed profiles based on repeated scan results.

Example: Client A always uses MSS=1460 and WS=8, while client B uses MSS=1400.

Detecting Behavioral Changes

Alert when known clients or servers change their fingerprint.

Example: A server previously using TTL=128 suddenly changes to TTL=64.

Machine Learning Models

Training Models

Train models on labeled fingerprints to classify new scans.

Example: Use SVM or Decision Trees to differentiate between legitimate and malicious traffic.

Clustering Techniques

Group similar fingerprints to find new patterns.

Example: Cluster similar client fingerprints to detect botnet behavior.

Anomaly Detection

Use clustering and outlier detection to spot unusual activity.

Example: Detect an unknown scanner that doesn’t match any existing fingerprints.

JA4TSAdvanced Lab