✨ Visual Editor

close

Thread Truncated

Only the first 20 tweets are shown to ensure high-quality rendering and prevent image size issues.

palette Canvas & Background

Gradient:arrow_forward
Text Color:
135°

style Card Style

40px
16px

text_fields Typography

16px
John Althouse
@4A4133
## Starting with JA4:
TLS Client Fingerprint
Thread image
John Althouse
@4A4133
JA4 (the replacement to JA3) fingerprints clients based on their TLS Client Hello packet which is sent before encryption, allowing you to know what's talking on the network without the need to break encryption.
John Althouse
@4A4133
Thread image
John Althouse
@4A4133
Chrome 132:
JA4=t13d1517h2_8daaf6152771_b6f405a00624
AnyDesk:
JA4=t12i550500_168bb377f8c8_a1e935682795
SoftEther VPN:
JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14
Sliver Malware (GoLang):
JA4=t13d190900_9dc949149365_97f8aa674fd9
John Althouse
@4A4133
## JA4Server - JA4S:
TLS Server Response Fingerprint
John Althouse
@4A4133
Thread image
John Althouse
@4A4133
Each TLS server may respond to different clients differently but will always respond to the same client with the same fingerprint which allows for higher fidelity detection.
John Althouse
@4A4133
AnyDesk:
JA4=t12i550500_168bb377f8c8_a1e935682795 JA4S=t120300_009f_cef8820c8f19

SoftEther VPN:
JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 JA4S=t130200_1302_a56c5b993250
John Althouse
@4A4133
Addigy (written in Go):
JA4=t13d190900_9dc949149365_97f8aa674fd9 (Go)
JA4S=t130200_1301_234ea6891581 <-- (Addigy server response to Go)
John Althouse
@4A4133
Sliver Malware (written in Go)
JA4=t13d190900_9dc949149365_97f8aa674fd9 (Go)
JA4S=t130200_1301_a56c5b993250 <-- (C2 response to Go)
John Althouse
@4A4133
When looking for certain traffic, rarely do you want to rely on JA4 alone as there could be too many FPs, instead you want to combine as many fingerprints and additional metadata as possible such as JA4 AND JA4S AND JA4X, etc.
John Althouse
@4A4133
The more fingerprints you can combine along with other metadata, the higher fidelity detection you can build.
John Althouse
@4A4133
## JA4HTTP - JA4H:
HTTP Client Fingerprint
John Althouse
@4A4133
Thread image
John Althouse
@4A4133
Thread image
John Althouse
@4A4133
Parts 'a' and 'b' are effectively a fingerprint of the application. In the above example, Lumma C2 pretends to be the Tesla Browser in its user-agent string, yet you can clearly see that, when doing a post request over HTTP/1.1, their fingerprints look completely different. Just another reason to never trust user-agent strings.
John Althouse
@4A4133
Part 'c' is the fingerprint of the cookie. Each website/app defines what it's cookie fields should be, therefor everyone connecting to a Fortigate Firewall, for example, should all have the exact same JA4H_c fingerprint, because the cookie fields are set by the Fortigate upon login. Anyone with a different cookie is probably a hacking tool.
John Althouse
@4A4133
Part 'd' is the user's cookie fingerprint, this is unique to that user as it includes their session token and other specific data. This allows you to track a user through your site with JA4H_d and if it stays the same but the application fingerprint changes from Chrome to say, Cobalt Strike, then that's session hijacking. Easy.
John Althouse
@4A4133
## JA4X509 - JA4X:
X509 TLS Certificate Fingerprint
John Althouse
@4A4133
JA4X fingerprints the structure of a cert, not the values within it. This essentially makes it a fingerprint of the application or script used to create a cert, not a fingerprint of the cert itself. As such, it's great for finding things like SOHO devices and malware C2s.
Generated by Thread Navigator
100%
view_carousel Carousel Studio NEW
Press + S to quick-export