TL;DR

JARM is an active Transport Layer Security (TLS) server fingerprinting tool.

Scanning with JARM provides the ability to identify and group malicious servers on the Internet.

JARM is available here: https://github.com/salesforce/jarm

JARM fingerprints can be used to:

  • Quickly verify that all servers in a group have the same TLS configuration.

In this blog post you will learn:

  • How JARM works.


John Althouse, Director of Threat Detection, Salesforce

Image for post
Image for post

Network threat detection is a moving target. Those of us in the threat detection corner of the security universe are always on the lookout for better ways to identify and prevent “evil on the network.” With JA3/S and HASSH detecting malicious encrypted channels on the network can be, in some cases, exceedingly easy.

Recently, I held a tech talk titled Finding Evil on the Network Using JA3/S and HASSH. This blog is a very high-level overview of that talk, so you can decide without spending too much time whether it’s something you’d be interested in watching. …


Image for post
Image for post

TL;DR

In this blog post, I’ll go over how to utilize JA3 with JA3S as a method to fingerprint the TLS negotiation between client and server. This combined fingerprinting can assist in producing higher fidelity identification of the encrypted communication between a specific client and its server. For example —

Standard Tor Client:
JA3 = e7d705a3286e19ea42f587b344ee6865 ( Tor Client )
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc( Tor Server Response )

The Tor servers always respond to the Tor client in exactly the same way, providing higher confidence that the traffic is indeed Tor. Further examples —

Trickbot malware:
JA3 = 6734f37431670b3ab4292b8f60f29984 ( Trickbot )
JA3S = 623de93db17d313345d7ea481e7443cf( C2 Server Response…


SSL/TLS Client Fingerprinting for Malware Detection

UPDATE: Please read the latest blog post on JA3 here:

A JA3 hash represents the fingerprint of an SSL/TLS client application as detected via a network sensor or device, such as Bro or Suricata. This allows for simple and effective detection of client applications such as Chrome running on OSX (JA3=94c485bca29d5392be53f2b8cf7f4304) or the Dyre malware family running on Windows (JA3=b386946a5a44d1ddcc843bc75336dfce) or Metasploit’s Meterpreter running on Linux (JA3=5d65ea3fb1d4aa7d826733d2f2cbbb1d). JA3 allows us to detect these applications, malware families, and pen testing tools, regardless of their destination, Command and Control (C2) IPs, or SSL certificates.

JA3 has been open sourced and is available here: https://github.com/salesforce/ja3

JA3 was created by:
John B. …

About

John Althouse

A leader and serial inventor in cyber security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store