JA3-JA4-scanner
JA3-JA4-scanner Description
JA3-JA4-scanner is a utility that will show JA3 and JA4 fingerprints for a program on your computer (a web browser, a command line utility, or any other application that can make requests via HTTPS protocol).
JA3 and JA4 are TLS fingerprints, which are small hash strings.
TLS Fingerprinting is a technique for obtaining unique fingerprints of clients and servers that allow you to determine the type of software used (web browser, console utility, bot, malware, etc.).
A TLS (Transport Layer Security) handshake is used for identification. Moreover, the unencrypted part of the transmitted data is used – that is, there is no need to decrypt the data.
A TLS handshake has enough unique features that allow you to identify the client (which software group it belongs to) and, sometimes, even the version of the program.
A TLS fingerprint is a hash obtained by hashing the identifying features of the client or server.
Typically, different groups of clients have different TLS fingerprint values, but sometimes the hash values can be the same for unrelated utilities and programs.
A distinction is made between server and client TLS fingerprints. Sometimes the same program can be both a server (listening for incoming connections) and a client (initiating connections) – for example, this happens among malware acting as a Command and Control infrastructure (also known as C2 or C&C).
Description of the output fields:
- JA3 – the original version of the client TLS fingerprint. Currently, the Google Chrome web browser actively resists obtaining this TLS fingerprint – as a result, for the Google Chrome web browser, this value is different every time.
- JA3_FULL – raw data used to compute the JA3 hash.
- JA3N – an improved version of JA3 – it sorts the part of the data whose order is randomized in Google Chrome, due to which the hash becomes the same for all Google Chrome requests (and other applications that use this method of preventing TLS fingerprinting).
- JA3N_FULL – the raw data used to obtain the JA3N hash.
- JA4 – the next version of the client TLS fingerprint. Currently, it gives the same results for the Google Chrome web browser.
- JA4_R – raw data used to compute the JA4 hash.
Homepage: https://en.kali.tools/?p=1860
Author: Alexey Miloserdov
License: GPLv3
JA3-JA4-scanner Help
Usage:
Run the script with root privileges:
sudo bash ja3-ja4-scanner.sh
The script needs very little time to prepare for work – about a second.
After that, open the address https://w-e-b.site with any application (for example, a web browser) for which you want to scan JA3 and JA4.
Almost immediately after opening the specified address, the program will output the hashes of JA3 and JA4 (as well as JA3_FULL and JA4_R) and exit.
Options:
The program has no options.
JA3-JA4-scanner Manual
The man page is missing.
JA3-JA4-scanner Usage Example
Example 1.
Example of using JA3-JA4-scanner to get JA3 and JA4 fingerprints for cURL utility.
In the first terminal window, run JA3-JA4-scanner:
sudo bash ja3-ja4-scanner.sh
In another terminal window, run the command, specifying https://w-e-b.site as the URL:
curl -A 'Chrome' 'https://w-e-b.site'
Example 2.
Similarly, you can get JA3 and JA4 fingerprints for the wget utility
In the first terminal window, run JA3-JA4-scanner:
sudo bash ja3-ja4-scanner.sh
In another terminal window, run the command, specifying https://w-e-b.site as the URL:
wget 'https://w-e-b.site'
Example 3.
Getting JA3 and JA4 for Firefox web browser:
Run JA3-JA4-scanner:
sudo bash ja3-ja4-scanner.sh
Open https://w-e-b.site in Firefox.
How to install JA3-JA4-scanner
Installation on Kali Linux
sudo apt install tshark wget -O ja3-ja4-scanner.sh https://kali.tools/files/scripts/ja3-ja4-scanner
Installation on BlackArch
sudo pacman -S wireshark-cli wget -O ja3-ja4-scanner.sh https://kali.tools/files/scripts/ja3-ja4-scanner
Installation on Debian, Linux Mint, Ubuntu
sudo apt update sudo apt install tshark wget -O ja3-ja4-scanner.sh https://kali.tools/files/scripts/ja3-ja4-scanner
JA3-JA4-scanner Screenshots
JA3-JA4-scanner Tutorials
- 1. TLS fingerprinting: methods for identifying client and server software
- 2. TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients
- 3. TLS fingerprinting of servers: hash types, utilities for displaying TLS fingerprints of servers
- Free online service for scanning TLS fingerprints of client applications (JA3 and JA4 scanner): https://w-e-b.site/?act=client-tls-fingerprinting
- Online JA3 and JA4 scanner (mirror): https://suip.biz/?act=client-tls-fingerprinting
This service has a variant for console utilities, its address is https://w-e-b.site/?act=ja4, example of usage:
curl -A 'Chrome' 'https://w-e-b.site/?act=ja4'
Comments are Closed