Quick-Labs
JA4
JA4

JA4+ Suite: Comprehensive Analysis and Calculations

The JA4+ suite encompasses advanced techniques for fingerprinting various aspects of network communications. These methods focus on different layers and protocols, providing deep insights into client and server behaviors, which are invaluable for network security and threat detection.

License: The JA4+ techniques are open-source under the BSD 3-Clause License. Some components like JA4L are experimental, patent pending, and licensed under the FoxIO License 1.1.

Table of Contents

  • JA4T: Advanced TCP Client Fingerprinting
  • JA4H: Advanced HTTP Client Fingerprinting
  • JA4X: Advanced X.509 Certificate Fingerprinting
  • JA4S: Advanced TLS Server Response Fingerprinting
  • Conclusion

JA4T: Advanced TCP Client Fingerprinting

Overview

JA4T (JA4TCP) fingerprints TCP clients by analyzing the characteristics of their TCP SYN packets. It focuses on the TCP header fields and options to uniquely identify operating systems, devices, or network stacks.

Key Concepts

  • TCP SYN Packet: Initiates a TCP connection.
  • TCP Header Fields: Include window size, flags, and options.
  • TCP Options: Optional parameters like MSS, Window Scale, SACK, and Timestamps.
  • TTL (Time To Live): Indicates packet's remaining lifespan.

Constructing the JA4T Fingerprint

Format:

f<tcp_flags>_o<tcp_options_hash>_ws<window_size>_ttl<ttl>_ip<ip_options_hash>

Example Calculation

Step 1: Gather Packet Data

  • TCP Flags: S (SYN)
  • TCP Options (in order): MSS (2), SACK Permitted (4), Timestamps (8), Window Scale (3)
  • Window Size: 65535
  • TTL: 128
  • IP Options: None

Step 2: Hash the TCP Options

  • Option Kinds Sequence: [2, 4, 8, 3]

Compute Hash:

import hashlib
options = [2, 4, 8, 3]
options_bytes = bytes(options)
options_hash = hashlib.sha1(options_bytes).hexdigest()[:5]  # 'a1b2c'

Step 3: Assemble the Fingerprint

fS_oa1b2c_ws65535_ttl128_ip000

Interpretation

  • Window Size 65535 and TTL 128 suggest a Windows OS.
  • Options Sequence matches common Windows TCP stack behavior.

JA4H: Advanced HTTP Client Fingerprinting

Overview

JA4H fingerprints HTTP clients by analyzing the structure and order of HTTP request headers. It captures the client's behavior without relying on variable content.

Key Concepts

  • HTTP Method and Version: E.g., GET HTTP/1.1.
  • Header Order: Sequence of headers as they appear.
  • Presence of Headers: Whether headers like Cookie or Referer are present.
  • Accept-Language: First four characters indicate locale.

Constructing the JA4H Fingerprint

Format:

<method><version>_c<cookie_present>_r<referer_present>_h<number_of_headers>_l<accept_language>_<headers_hash>

Example Calculation

Step 1: Gather Request Data

  • Method and Version: GET2 (GET HTTP/2)
  • Cookie Present: Yes (c1)
  • Referer Present: Yes (r1)
  • Number of Headers: 8 (h8)
  • Accept-Language: 'en-US,en;q=0.9' (l'en-U')
  • Headers (in order): Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Referer, Cookie, Connection

Step 2: Hash the Headers

  • Headers Concatenated: 'HostUser-AgentAcceptAccept-LanguageAccept-EncodingRefererCookieConnection'

Compute Hash:

import hashlib
headers_string = 'HostUser-AgentAcceptAccept-LanguageAccept-EncodingRefererCookieConnection'
headers_hash = hashlib.sha1(headers_string.encode()).hexdigest()[:5]  # 'b3d4e'

Step 3: Assemble the Fingerprint

GET2_c1_r1_h8_len-_b3d4e

Interpretation

  • Header Order and Presence can indicate specific browsers or bots.
  • Fingerprint Comparison helps identify client applications.

JA4X: Advanced X.509 Certificate Fingerprinting

Overview

JA4X fingerprints X.509 certificates by analyzing their structural components rather than their content values. It focuses on the issuer and subject RDNs and the extensions included.

Key Concepts

  • Issuer RDNs: Components of the issuer's name.
  • Subject RDNs: Components of the subject's name.
  • Extensions: Certificate extensions like Key Usage.

Constructing the JA4X Fingerprint

Format:

<issuer_hash>_<subject_hash>_<extensions_hash>

Example Calculation

Step 1: Gather Certificate Data

  • Issuer RDNs (in order): C, O, CN
  • Subject RDNs (in order): C, ST, L, O, OU, CN
  • Extensions (in order): Subject Key Identifier, Authority Key Identifier, Basic Constraints, Key Usage, Extended Key Usage

Step 2: Hash the Components

Issuer Hash:

issuer_string = 'C_O_CN'
issuer_hash = hashlib.sha1(issuer_string.encode()).hexdigest()[:5]  # 'd3e4f'

Subject Hash:

subject_string = 'C_ST_L_O_OU_CN'
subject_hash = hashlib.sha1(subject_string.encode()).hexdigest()[:5]  # 'a2b3c'

Extensions Hash:

extensions_string = 'SubjectKeyIdentifier_AuthorityKeyIdentifier_BasicConstraints_KeyUsage_ExtendedKeyUsage'
extensions_hash = hashlib.sha1(extensions_string.encode()).hexdigest()[:5]  # 'f4g5h'

Step 3: Assemble the Fingerprint

d3e4f_a2b3c_f4g5h

Interpretation

  • Certificate Structure can reveal the certificate generation tool.
  • Unique Fingerprints may indicate self-signed certificates used by malware.

JA4S: Advanced TLS Server Response Fingerprinting

Overview

JA4S fingerprints TLS servers by analyzing the ServerHello message during the TLS handshake. It focuses on the server's selected parameters.

Key Concepts

  • TLS Version: Protocol version used by the server.
  • ALPN Chosen: Application protocol selected (e.g., HTTP/2).
  • Cipher Suite: Cryptographic algorithms chosen.
  • Extensions: TLS extensions in the ServerHello.

Constructing the JA4S Fingerprint

Format:

<tls_version>_<alpn>_<cipher_suite>_<extensions_hash>

Example Calculation

Step 1: Gather ServerHello Data

  • TLS Version: 771 (TLS 1.2)
  • ALPN Chosen: h2
  • Cipher Suite: c02f (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
  • Extensions (in order): Server Name (0), Supported Groups (10), EC Point Formats (11), Session Ticket (35)

Step 2: Hash the Extensions

  • Extensions Sequence: [0, 10, 11, 35]

Compute Hash:

import hashlib
extensions = [0, 10, 11, 35]
extensions_bytes = bytes(extensions)
extensions_hash = hashlib.sha1(extensions_bytes).hexdigest()[:5]  # 'c5d6e'

Step 3: Assemble the Fingerprint

771_h2_c02f_c5d6e

Interpretation

  • Server Configurations can indicate server software or versions.
  • Unexpected Fingerprints may signal malicious servers.

Conclusion

The JA4+ suite provides powerful techniques for fingerprinting various aspects of network communications. By focusing on structural elements and configurations, these methods allow security professionals to:

  • Identify Clients and Servers: Determine operating systems, applications, and software versions.
  • Detect Anomalies: Spot deviations from normal behavior that may indicate security threats.
  • Enhance Security Monitoring: Integrate fingerprints into intrusion detection systems and threat hunting processes.

Disclaimer: The methods described are intended for educational and authorized use. Always ensure compliance with legal and ethical guidelines when analyzing network traffic.

import hashlib
 
# Example function to compute a SHA-1 hash for a given list of options
def compute_options_hash(options):
options_bytes = bytes(options)
return hashlib.sha1(options_bytes).hexdigest()[:5]
 
# Example usage
options = [2, 4, 8, 3]
options_hash = compute_options_hash(options)
print(f"Options Hash: {options_hash}")
import hashlib
 
# Example function to compute a SHA-1 hash for a given string
def compute_string_hash(input_string):
return hashlib.sha1(input_string.encode()).hexdigest()[:5]
 
# Example usage
input_string = 'HostUser-AgentAcceptAccept-LanguageAccept-EncodingRefererCookieConnection'
string_hash = compute_string_hash(input_string)
print(f"String Hash: {string_hash}")
JA4 Wireshark PluginJA4HTTP