JA4+
JA4+ Description
JA4+ is a set of network fingerprinting standards, utilities, and plugins for computing network fingerprints.
JA4+ is a set of network fingerprinting methods that are easy to use and share. These methods are easy for both humans and machines to understand, allowing for more efficient threat hunting and analysis. Use cases for these fingerprints include threat actor scanning, malware detection, session hijack prevention, compliance automation, location tracking, DDoS detection, threat actor grouping, reverse shell detection, and more.
This repository includes code for computing JA4+ in Python, Rust, Zeek, and C as a Wireshark plugin.
This page is about a Python script that extracts JA4, JA4S, JA4H, JA4L, JA4LS, JA4X, JA4SSH, JA4T, JA4TS fingerprints from PCAP files.
Homepage:
Author: John Althouse
License: BSD 3-Clause, FoxIO License 1.1
JA4+ Help
Usage:
ja4.py [-h] [-key KEY] [-v] [-J] [--ja4] [--ja4s] [--ja4l] [--ja4h] [--ja4x] [--ja4ssh] [-r] [-o] [-f [OUTPUT]] [-s [STREAM]] pcap
Options:
positional arguments: pcap The pcap file to process options: -h, --help Show this help message and exit -key KEY The key file to use for decryption -v, --verbose Verbose mode -J, --json Output in JSON --ja4, --ja4 Output JA4 fingerprints only --ja4s, --ja4s Output JA4S fingerprints only --ja4l, --ja4l Output JA4L-C/S fingerprints only --ja4h, --ja4h Output JA4H fingerprints only --ja4x, --ja4x Output JA4X fingerprints only --ja4ssh, --ja4ssh Output JA4SSH fingerprints only -r, --raw_fingerprint Output raw fingerprint -o, --original_rendering Output the JA4_O hash (distinguished by the lack of cipher sorting) -f FILE, --output FILE Send output to file FILE -s NUMBER, --stream NUMBER Examine only a single thread with the specified NUMBER
JA4+ Manual
The man page is missing.
JA4+ Details
JA4+ is a set of simple yet powerful network fingerprints for multiple protocols that are both human and machine readable, facilitating advanced threat hunting and security analysis.
All JA4+ fingerprints are in the format a_b_c, delimiting the different sections that make up the fingerprint. This allows for search and discovery using only the ab, ac, or c parts of the fingerprint. If someone just wants to analyze incoming cookies to their application, they would only look at JA4H_c. This new format is where the different parts of the fingerprint have different meanings and can be analyzed separately depending on the intended purpose. This allows for deeper and more meaningful analysis, while keeping the overall concept simple, easy to use, and extensible.
Current methods and implementation details:
Full Name | Short Name | Description |
---|---|---|
JA4 | JA4 | TLS Client Fingerprinting |
JA4Server | JA4S | TLS Server Response / Session Fingerprinting |
JA4HTTP | JA4H | HTTP Client Fingerprinting |
JA4Latency | JA4L | Client to Server Latency Measurment / Light Distance |
JA4LatencyServer | JA4LS | Server to Client Latency Measurement / Light Distance |
JA4X509 | JA4X | X509 TLS Certificate Fingerprinting |
JA4SSH | JA4SSH | SSH Traffic Fingerprinting |
JA4TCP | JA4T | TCP Client Fingerprinting |
JA4TCPServer | JA4TS | TCP Server Response Fingerprinting |
JA4TCPScan | JA4TScan | Active TCP Fingerprint Scanner |
More technical details on hash calculations can also be found at the following links:
- https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md
- https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
- https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4H.md
JA4+ Usage Example
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng):
python ja4.py /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{'stream': 0, 'src': '127.0.0.1', 'dst': '127.0.0.1', 'srcport': '38502', 'dstport': '443', 'client_ttl': '64', 'server_ttl': '64', 'domain': 'hackware.local', 'JA4': 't13d2912h2_723694b0fccc_288f874c93d6', 'JA4S': 't130200_1302_a56c5b993250'}
Print only JA4 hashes found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng):
python ja4.py --ja4 /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{'stream': 0, 'src': '127.0.0.1', 'dst': '127.0.0.1', 'srcport': '38502', 'dstport': '443', 'timestamp': '2024-10-07T11:40:18.480878482Z', 'client_ttl': '64', 'server_ttl': '64', 'domain': 'hackware.local', 'JA4': 't13d2912h2_723694b0fccc_288f874c93d6'}
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng) in JSON format (--json):
python ja4.py --json /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{ "stream": 0, "src": "127.0.0.1", "dst": "127.0.0.1", "srcport": "38502", "dstport": "443", "client_ttl": "64", "server_ttl": "64", "domain": "hackware.local", "JA4": "t13d2912h2_723694b0fccc_288f874c93d6", "JA4S": "t130200_1302_a56c5b993250" }
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng), and also print the raw strings used to compute the hashes (-r), and display the result on the screen in JSON format (--json):
python ja4.py -r --json /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{ "stream": 0, "src": "127.0.0.1", "dst": "127.0.0.1", "srcport": "38502", "dstport": "443", "client_ttl": "64", "server_ttl": "64", "domain": "hackware.local", "JA4": "t13d2912h2_723694b0fccc_288f874c93d6", "JA4_r": "t13d2912h2_002f,0033,0035,0039,009c,009d,009e,009f,1301,1302,1303,1304,c009,c00a,c013,c014,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_0005,000a,000b,000d,0016,0017,001c,002b,0033,ff01_0401,0809,0804,0403,0807,0501,080a,0805,0503,0808,0601,080b,0806,0603,0201,0203", "JA4S": "t130200_1302_a56c5b993250", "JA4S_r": "t130200_1302_002b,0033" }
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the traffic source is the specified IPv6 ( | grep "'src': '2001:fb1:138:db4b:886:db58:ee8b:a7bc'"):
python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'src': '2001:fb1:138:db4b:886:db58:ee8b:a7bc'"
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the destination domain is suip.biz ( | grep "'domain': 'suip.biz'"):
python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'domain': 'suip.biz'"
Print only JA4S hashes found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the destination is the specified IPv6 ( | grep "'dst': '2604:a880:800:c1::2ae:d001'"):
python ja4.py --ja4s /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'dst': '2604:a880:800:c1::2ae:d001'"
Print only TLS X509 (JA4X) certificate fingerprints (--ja4x):
python ja4.py --ja4x /mnt/disk_d/Share/Captures/just-test.pcapng
How to install JA4+
Installation on Kali Linux
sudo apt install tshark git clone https://github.com/FoxIO-LLC/ja4 cd ja4/python/ python ja4.py -h
Installation on BlackArch
sudo pacman -S wireshark-cli git clone https://github.com/FoxIO-LLC/ja4 cd ja4/python/ python ja4.py -h
Installation on Windows
1. Install Python using the Windows installer: https://www.python.org/downloads/windows/
If you need tips, see the instructions: How to install Python and PIP on Windows. How to set up Python as a web server module
2. Install Wireshark for Windows: https://www.wireshark.org/download.html
As a result, you will have Wireshark with a graphical interface and Wireshark with a console interface (the tshark.exe file), which is what we need.
3. Find the path to the tshark.exe file, for example:
C:\Program Files\Wireshark\thsark.exe
4. Add the path to tshark to your ‘PATH’ environment variable in Windows. This is important for the correct operation of pyshark. Note that you need to add the folder containing the thsark.exe file (not the file itself) to the ‘PATH’ environment variable.
To add to the environment variable ‘PATH’:
4.1) Click the Start button, start typing “Edit the system environment variables” and open the corresponding settings window.
4.2) There, click “Environment Variables”.
4.3) In the “System Variables” window, find and click “Path”, then click “Edit” button.
4.4) Click “Create”
4.5) And enter your path to the thsark.exe file there, for example ‘C:\Program Files\Wireshark\’:
4.6) Move the entry to the very top.
4.7) Close all windows, saving the changes made.
5. Download and unzip JA4+ files: https://github.com/FoxIO-LLC/ja4/archive/refs/heads/main.zip -OutFile main.zip
Open the terminal and navigate to the ja4-main\python folder:
Set-Location .\ja4-main\python\
Run the script:
python3 ja4.py -h
You can do these actions (download and unzip the archive with the program, as well as navigate to the folder with Python scripts) without leaving the Terminal:
Invoke-WebRequest https://github.com/FoxIO-LLC/ja4/archive/refs/heads/main.zip -OutFile main.zip Expand-Archive main.zip Set-Location .\main\ja4-main\python\ python3 ja4.py -h
JA4+ Screenshots
JA4+ Tutorials
- 1. TLS fingerprinting: methods for identifying client and server software
- 2. TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients
- 3. TLS fingerprinting of servers: hash types, utilities for displaying TLS fingerprints of servers
- Server TLS fingerprinting (JA4S hash)
- Free online service for scanning TLS fingerprints of servers (JA3S and JA4S scanner): https://w-e-b.site/?act=server-tls-fingerprinting
- JA3S and JA4S scanner online: https://suip.biz/?act=server-tls-fingerprinting
- Free online service for scanning TLS fingerprints of client applications (JA3 and JA4 scanner): https://w-e-b.site/?act=client-tls-fingerprinting
- Online JA3 and JA4 scanner (mirror): https://suip.biz/?act=client-tls-fingerprinting
This service has a variant for console utilities, its address is https://w-e-b.site/?act=ja4, example of usage:
curl -A 'Chrome' 'https://w-e-b.site/?act=ja4'
Related tools
- JA3-JA4-scanner (79.6%)
- JARM (76.9%)
- JA3S-JA4S-scanner (76.9%)
- ssh-audit (59.7%)
- Nmap (57.1%)
- Router Scan (RANDOM - 0.6%)
Comments are Closed