JA3S-JA4S-scanner

JA3S-JA4S-scanner Description

JA3S-JA4S-scanner is a utility for actively scanning servers and getting their JA3S and JA4S hashes used for TLS fingerprinting (identification by TLS properties).

In addition to JA3S and JA4S hashes, the utility outputs the full strings used for hashing (JA3S_FULL and JA4S_R, respectively). This data can be used to visually study what exactly has changed in the server's response.

For scanning, you can specify an IP or host name (domain).

The utility can scan single hosts, IP address subnets, and targets from a specified file (IPs or hosts).

By default, scanning is performed on port 443, but you can change it with an option.

By default, the utility displays scan results on the screen, but you can also save scan results to a file.

When scanning subnets, multithreading is used – you can choose the number of threads based on your computer's resources.

JA3S-JA4S-scanner can extract JA3S and JA4S hashes from existing capture files.

Dependencies:

  • Required: tshark (console version of Wireshark), curl, awk, sed (the last 3 should be present by default in all Linux distributions)
  • Required: JA4+ Wireshark plugin (https://github.com/FoxIO-LLC/ja4/tree/main/wireshark/binaries/linux). This plugin is used to obtain JA4S and JA4S_R. Without this plugin, the utility can only output the JA3S hash and the full JA3S_FULL string.
  • Only needed for subnet scanning: Interlace (https://github.com/codingo/Interlace)
  • Only needed if you want to make requests to servers not only with cURL, but also by pretending to be web browsers (like Google Chrome): curl-impersonate (https://github.com/lwthiker/curl-impersonate). The curl-impersonate utility simulates the TLS fingerprints of a real web browser.

Homepage: https://en.kali.tools/?p=1878

Author: Alexey Miloserdov

License: GPLv3

JA3S-JA4S-scanner Help

Usage:

sudo bash ja3s-ja4s-scanner.sh [OPTIONS]

One of the following options must be specified: -i or -f or -s.

Options:

	-h 		| --help		Show this help and exit
	-i HOST 	| --ip HOST		Scan target – can be an IP address or a host name.
	-p PORT 	| --port PORT		Port to scan. Default: 443
	-f FILE 	| --file FILE		Path to file with targets, which can be IP address or host name (HOST:PORT format)
	-o OUTFILE 	| --output OUTFILE	Save scan result to specified file
	-s SUBNET 	| --subnet SUBNET	IP address subnet
	-t SECONDS 	| --timeout SECONDS	Timeout — time during which to wait for JA3S
	-q 		| --quiet		Quiet mode — used only for -s.
	-m THREADS 	| --threads THREADS	Number of threads — used only for -s. Default: 50
	-b 		| --black		Black and white output (enabled by default when outputting to a file)
	-e FILE 	| --extract FILE	Extract JA3S and JA4S hashes from the capture file. It requires the -i option with the target server.
	-u 		| --useragent		Impersonate a web browser. Available: curl, chrome, ff, safari, edge, android. If curl-impersonate is installed, default: 'chrome', otherwise 'curl'

JA3S-JA4S-scanner Manual

The man page is missing.

One (any) of the -i or -f or -s options is mandatory. Each option is mutually exclusive with the others.

The host can be specified as a domain name or as an IP address. IPv6 addresses are also supported for single scans and for scanning targets from a file.

If the target server is not listening for incoming connections on the specified port, or if the host name is specified incorrectly (it cannot be resolved to an IP address), an error message will be displayed:

Failed to connect to the target server

In other problematic cases (for example, an invalid TLS certificate), the program still tries to connect and get JA3S/JA4S hashes.

By default, port 443 is scanned. If you want to specify a different port, do so with the -p option.

The -f option allows you to specify the path to the targets in the file. Each target must be on a new line. For each target, you can specify a different port for scanning in the HOST:PORT format. If the port is standard, then it is not necessary to specify it. Note that this mode does NOT require Interlace (which is required for the -s mode), but the scanning is not fast.

By default, the scan results are displayed on the screen. If you want to save the results to a file, then specify the path to the file using the -o option. It is safe to use for several consecutive scans, since the file is always appended with the previous contents preserved.

The -t option sets the timeout – the time during which the script waits to receive JA3S and JA4S hashes. The default timeouts are already set in the script, if desired, you can change them using the -t option.

The -b option enables black and white output (enabled by default when outputting to a file). In this case, colors are not used to highlight the hashes.

If you already have a file with captured network traffic, you can extract JA3S and JA4S hashes from it. To do this, specify the path to the file after the -e option. All of the many capture file formats that Wireshark can handle are supported. You also need to specify the -i option with the target server. Note that the -e option extracts all available hashes in the capture file for the specified target. The hashes may differ, for example, the JA3S/JA4S hash of the first connection and the hash of reconnections are often different for both servers and clients.

The -s option allows you to specify a subnet of IP addresses to scan – the same notations as in Interlace (all popular ways of writing IP address ranges) are supported. In this case, a multi-threaded scan is started.

Options that only work when multi-threaded scanning (when specifying a subnet with the -s option):

  • The -q option enables quiet mode. Suppresses most output, including not printing the scan results. To get the results, save them to a file with the -o option.
  • The -m THREADS option sets the number of threads. Specifies how many simultaneous scans to run when scanning subnets. Default: 50. You can increase or decrease this number depending on the resources (RAM and CPU performance) of your computer.

JA3S-JA4S-scanner Usage Example

Scan a single IP address (-i 185.117.153.79):

sudo bash ja3s-ja4s-scanner.sh -i 185.117.153.79

Scan a specified domain (-i w-e-b.site):

sudo bash ja3s-ja4s-scanner.sh -i w-e-b.site

Scan a specified host (-i hackware.local) on a non-standard port (-p 50433):

sudo bash ja3s-ja4s-scanner.sh -i hackware.local -p 50443

Scan a specified IPv6 address (-i 2604:a880:800:c1::2ae:d001):

sudo bash ja3s-ja4s-scanner.sh -i 2604:a880:800:c1::2ae:d001

Scan a given IPv6 address (-i 2001:4860:4860::8888) (short notation supported):

sudo bash ja3s-ja4s-scanner.sh -i 2001:4860:4860::8888

Scan a single host (-i suip.biz) and save the results to a file (-o results.txt):

sudo bash ja3s-ja4s-scanner.sh -i suip.biz -o results.txt

Scan a single host (-i suip.biz) pretending to be the Google Chrome web browser (-u chrome):

sudo bash ja3s-ja4s-scanner.sh -i suip.biz -u chrome

Scan single host (-i suip.biz) using cURL as client (-u curl) (note that the hash value may vary for different clients):

sudo bash ja3s-ja4s-scanner.sh -i suip.biz -u curl

Scan a subnet of IP addresses (-s 185.117.153.0/24) in 50 simultaneous threads (-m 50), without displaying the results on the screen (-q) and saving the results to a file (-o results.txt):

sudo bash ja3s-ja4s-scanner.sh -s 185.117.153.0/24 -m 50 -q -o results.txt

Scan all targets specified in the file (-f targets.txt):

sudo bash ja3s-ja4s-scanner.sh -f targets.txt

Show all JA3S and JA4S hashes for the specified server (-i 185.117.153.79), using the suip.biz.pcapng file (-e suip.biz.pcapng) as the data source:

sudo bash ja3s-ja4s-scanner.sh -i 185.117.153.79 -e suip.biz.pcapng

How to install JA3S-JA4S-scanner

Installation on Kali Linux

1. Install the console version of Wireshark is a must.

sudo apt install tshark

2. Install the JA4+ Wireshark plugin is a must, otherwise JA4S hashes will not be calculated.

Binary versions of the plugin file are located at https://github.com/FoxIO-LLC/ja4/tree/main/wireshark/binaries/linux

Note: the source code and build instructions are also there for those who want to compile the plugin file from the source code.

There you can choose the plugin that suits your version of Wireshark.

After downloading it, move the file to the Wireshark plugins folder. Currently, it is /usr/lib/x86_64-linux-gnu/wireshark/plugins/4.4/epan.

For Wireshark versions 4.4.* you can use the following commands to download and copy the file to the desired folder:

wget https://github.com/FoxIO-LLC/ja4/raw/refs/heads/main/wireshark/binaries/linux/4.4.0/ja4.so
sudo cp ja4.so /usr/lib/x86_64-linux-gnu/wireshark/plugins/4.4/epan

3. Install Interlace – optional, only if you plan to use batch mode and scan IP subnets.

git clone https://github.com/codingo/Interlace
cd Interlace/
sudo python3 setup.py install

4. Install curl-impersonate – optional, only if you want to scan servers pretending to be different web browsers.

sudo apt install libnss3 nss-plugin-pem ca-certificates
wget -O curl-impersonate.tar.gz https://github.com/lwthiker/curl-impersonate/releases/download/v0.6.1/curl-impersonate-v0.6.1.x86_64-linux-gnu.tar.gz
mkdir curl-impersonate
tar xvzf curl-impersonate.tar.gz -C curl-impersonate
sudo mv curl-impersonate/* /usr/local/bin/
rm -rf curl-impersonate.tar.gz curl-impersonate
curl_chrome116 -h

5. Now, after downloading and installing all dependencies, download the JA3S-JA4S-scanner script:

wget https://kali.tools/files/scripts/ja3s-ja4s-scanner.sh

Installation on BlackArch

1. Install the console version of Wireshark is a must.

sudo pacman -S wireshark-cli

2. Install the JA4+ Wireshark plugin is a must, otherwise JA4S hashes will not be calculated.

Binary versions of the plugin file are located at https://github.com/FoxIO-LLC/ja4/tree/main/wireshark/binaries/linux

Note: the source code and build instructions are also there for those who want to compile the plugin file from the source code.

There you can choose the plugin that suits your version of Wireshark.

After downloading it, move the file to the Wireshark plugins folder. Currently, it is /usr/lib/wireshark/plugins/4.4/epan.

For Wireshark 4.4.* versions, you can use the following commands to download and copy the file to the desired folder:

wget https://github.com/FoxIO-LLC/ja4/raw/refs/heads/main/wireshark/binaries/linux/4.4.0/ja4.so
sudo cp ja4.so /usr/lib/wireshark/plugins/4.4/epan

3. Install Interlace – optional, only if you plan to use batch mode and scan IP subnets.

sudo pacman -S interlace

4. Install curl-impersonate – optional, only if you want to scan servers pretending to be different web browsers.

sudo pacman -S nss ca-certificates
wget -O curl-impersonate.tar.gz https://github.com/lwthiker/curl-impersonate/releases/download/v0.6.1/curl-impersonate-v0.6.1.x86_64-linux-gnu.tar.gz
mkdir curl-impersonate
tar xvzf curl-impersonate.tar.gz -C curl-impersonate
sudo mv curl-impersonate/* /usr/local/bin/
rm -rf curl-impersonate.tar.gz curl-impersonate
curl_chrome116 -h

5. Now, after downloading and installing all dependencies, download the JA3S-JA4S-scanner script:

wget https://kali.tools/files/scripts/ja3s-ja4s-scanner.sh

JA3S-JA4S-scanner Screenshots

JA3S-JA4S-scanner Tutorials

Coming soon…

Related tools

Recommended for you:

Comments are Closed

Рейтинг@Mail.ru