JA4+

JA4+ Description

JA4+ is a set of network fingerprinting standards, utilities, and plugins for computing network fingerprints.

JA4+ is a set of network fingerprinting methods that are easy to use and share. These methods are easy for both humans and machines to understand, allowing for more efficient threat hunting and analysis. Use cases for these fingerprints include threat actor scanning, malware detection, session hijack prevention, compliance automation, location tracking, DDoS detection, threat actor grouping, reverse shell detection, and more.

This repository includes code for computing JA4+ in Python, Rust, Zeek, and C as a Wireshark plugin.

This page is about a Python script that extracts JA4, JA4S, JA4H, JA4L, JA4LS, JA4X, JA4SSH, JA4T, JA4TS fingerprints from PCAP files.

Homepage:

Author: John Althouse

License: BSD 3-Clause, FoxIO License 1.1

JA4+ Help

Usage:

ja4.py [-h] [-key KEY] [-v] [-J] [--ja4] [--ja4s] [--ja4l] [--ja4h] [--ja4x] [--ja4ssh] [-r] [-o] [-f [OUTPUT]] [-s [STREAM]] pcap

Options:

positional arguments:
  pcap                  The pcap file to process

options:
  -h, --help            Show this help message and exit
  -key KEY              The key file to use for decryption
  -v, --verbose         Verbose mode
  -J, --json            Output in JSON
  --ja4, --ja4          Output JA4 fingerprints only
  --ja4s, --ja4s        Output JA4S fingerprints only
  --ja4l, --ja4l        Output JA4L-C/S fingerprints only
  --ja4h, --ja4h        Output JA4H fingerprints only
  --ja4x, --ja4x        Output JA4X fingerprints only
  --ja4ssh, --ja4ssh    Output JA4SSH fingerprints only
  -r, --raw_fingerprint
                        Output raw fingerprint
  -o, --original_rendering
                        Output the JA4_O hash (distinguished by the lack of cipher sorting)
  -f FILE, --output FILE
                        Send output to file FILE
  -s NUMBER, --stream NUMBER
                        Examine only a single thread with the specified NUMBER

JA4+ Manual

The man page is missing.

JA4+ Details

JA4+ is a set of simple yet powerful network fingerprints for multiple protocols that are both human and machine readable, facilitating advanced threat hunting and security analysis.

All JA4+ fingerprints are in the format a_b_c, delimiting the different sections that make up the fingerprint. This allows for search and discovery using only the ab, ac, or c parts of the fingerprint. If someone just wants to analyze incoming cookies to their application, they would only look at JA4H_c. This new format is where the different parts of the fingerprint have different meanings and can be analyzed separately depending on the intended purpose. This allows for deeper and more meaningful analysis, while keeping the overall concept simple, easy to use, and extensible.

Current methods and implementation details:

Full Name Short Name Description
JA4 JA4 TLS Client Fingerprinting
JA4Server JA4S TLS Server Response / Session Fingerprinting
JA4HTTP JA4H HTTP Client Fingerprinting
JA4Latency JA4L Client to Server Latency Measurment / Light Distance
JA4LatencyServer JA4LS Server to Client Latency Measurement / Light Distance
JA4X509 JA4X X509 TLS Certificate Fingerprinting
JA4SSH JA4SSH SSH Traffic Fingerprinting
JA4TCP JA4T TCP Client Fingerprinting
JA4TCPServer JA4TS TCP Server Response Fingerprinting
JA4TCPScan JA4TScan Active TCP Fingerprint Scanner

More technical details on hash calculations can also be found at the following links:

JA4+ Usage Example

Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng):

python ja4.py /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

{'stream': 0, 'src': '127.0.0.1', 'dst': '127.0.0.1', 'srcport': '38502', 'dstport': '443', 'client_ttl': '64', 'server_ttl': '64', 'domain': 'hackware.local', 'JA4': 't13d2912h2_723694b0fccc_288f874c93d6', 'JA4S': 't130200_1302_a56c5b993250'}

Print only JA4 hashes found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng):

python ja4.py --ja4 /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

{'stream': 0, 'src': '127.0.0.1', 'dst': '127.0.0.1', 'srcport': '38502', 'dstport': '443', 'timestamp': '2024-10-07T11:40:18.480878482Z', 'client_ttl': '64', 'server_ttl': '64', 'domain': 'hackware.local', 'JA4': 't13d2912h2_723694b0fccc_288f874c93d6'}

Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng) in JSON format (--json):

python ja4.py --json /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

{
    "stream": 0,
    "src": "127.0.0.1",
    "dst": "127.0.0.1",
    "srcport": "38502",
    "dstport": "443",
    "client_ttl": "64",
    "server_ttl": "64",
    "domain": "hackware.local",
    "JA4": "t13d2912h2_723694b0fccc_288f874c93d6",
    "JA4S": "t130200_1302_a56c5b993250"
}

Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng), and also print the raw strings used to compute the hashes (-r), and display the result on the screen in JSON format (--json):

python ja4.py -r --json /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

{
    "stream": 0,
    "src": "127.0.0.1",
    "dst": "127.0.0.1",
    "srcport": "38502",
    "dstport": "443",
    "client_ttl": "64",
    "server_ttl": "64",
    "domain": "hackware.local",
    "JA4": "t13d2912h2_723694b0fccc_288f874c93d6",
    "JA4_r": "t13d2912h2_002f,0033,0035,0039,009c,009d,009e,009f,1301,1302,1303,1304,c009,c00a,c013,c014,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_0005,000a,000b,000d,0016,0017,001c,002b,0033,ff01_0401,0809,0804,0403,0807,0501,080a,0805,0503,0808,0601,080b,0806,0603,0201,0203",
    "JA4S": "t130200_1302_a56c5b993250",
    "JA4S_r": "t130200_1302_002b,0033"
}

Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the traffic source is the specified IPv6 ( | grep "'src': '2001:fb1:138:db4b:886:db58:ee8b:a7bc'"):

python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'src': '2001:fb1:138:db4b:886:db58:ee8b:a7bc'"

Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the destination domain is suip.biz ( | grep "'domain': 'suip.biz'"):

python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'domain': 'suip.biz'"

Print only JA4S hashes found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the destination is the specified IPv6 ( | grep "'dst': '2604:a880:800:c1::2ae:d001'"):

python ja4.py --ja4s /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'dst': '2604:a880:800:c1::2ae:d001'"

Print only TLS X509 (JA4X) certificate fingerprints (--ja4x):

python ja4.py --ja4x /mnt/disk_d/Share/Captures/just-test.pcapng

How to install JA4+

Installation on Kali Linux

sudo apt install tshark
git clone https://github.com/FoxIO-LLC/ja4
cd ja4/python/
python ja4.py -h

Installation on BlackArch

sudo pacman -S wireshark-cli
git clone https://github.com/FoxIO-LLC/ja4
cd ja4/python/
python ja4.py -h

Installation on Windows

1. Install Python using the Windows installer: https://www.python.org/downloads/windows/

If you need tips, see the instructions: How to install Python and PIP on Windows. How to set up Python as a web server module

2. Install Wireshark for Windows: https://www.wireshark.org/download.html

As a result, you will have Wireshark with a graphical interface and Wireshark with a console interface (the tshark.exe file), which is what we need.

3. Find the path to the tshark.exe file, for example:

C:\Program Files\Wireshark\thsark.exe

4. Add the path to tshark to your ‘PATH’ environment variable in Windows. This is important for the correct operation of pyshark. Note that you need to add the folder containing the thsark.exe file (not the file itself) to the ‘PATH’ environment variable.

To add to the environment variable ‘PATH’:

4.1) Click the Start button, start typing “Edit the system environment variables” and open the corresponding settings window.

4.2) There, click “Environment Variables”.

4.3) In the “System Variables” window, find and click “Path”, then click “Edit” button.

4.4) Click “Create

4.5) And enter your path to the thsark.exe file there, for example ‘C:\Program Files\Wireshark\’:

4.6) Move the entry to the very top.

4.7) Close all windows, saving the changes made.

5. Download and unzip JA4+ files: https://github.com/FoxIO-LLC/ja4/archive/refs/heads/main.zip -OutFile main.zip

Open the terminal and navigate to the ja4-main\python folder:

Set-Location .\ja4-main\python\

Run the script:

python3 ja4.py -h

You can do these actions (download and unzip the archive with the program, as well as navigate to the folder with Python scripts) without leaving the Terminal:

Invoke-WebRequest https://github.com/FoxIO-LLC/ja4/archive/refs/heads/main.zip -OutFile main.zip
Expand-Archive main.zip
Set-Location .\main\ja4-main\python\
python3 ja4.py -h

JA4+ Screenshots

JA4+ Tutorials

This service has a variant for console utilities, its address is https://w-e-b.site/?act=ja4, example of usage:

curl -A 'Chrome' 'https://w-e-b.site/?act=ja4'

Related tools

Recommended for you:

Comments are Closed

Рейтинг@Mail.ru