Carousel Studio

Repurpose X Threads into LinkedIn & Instagram Carousels

Thread Truncated (Cap Enforced)

Only the first 20 tweets are unrolled into slides to ensure reliable PDF exporting and high server performance.

Canvas & Ratio

Choose your destination platform format


Layout Template

Choose a content structure for your slides


Preset Themes


Typography & Sizing

Title Font Size36px
Body Font Size18px
Header & Footer Size12px

Brand Kit Customization

AGENCY

Configure brand assets for headers & footers

MULTI-PROFILES (AGENCY)
AGENCY
SAVE PRESETS (AGENCY)

Outro Slide CTA

Customize your closing call-to-action slide

#1
#2
#3

Background Pattern

Source Content

Build Your Carousel

Drag and drop any post card below onto a slide, or use the quick buttons to insert content/images instantly!

Drag Post #1
John Althouse
@4A4133

## Starting with JA4: TLS Client Fingerprint

Apply Image
Drag Post #2
John Althouse
@4A4133

JA4 (the replacement to JA3) fingerprints clients based on their TLS Client Hello packet which is sent before encryption, allowing you to know what's talking on the network without the need to break encryption.

Drag Post #3
John Althouse
@4A4133

Apply Image
Drag Post #4
John Althouse
@4A4133

Chrome 132: JA4=t13d1517h2_8daaf6152771_b6f405a00624 AnyDesk: JA4=t12i550500_168bb377f8c8_a1e935682795 SoftEther VPN: JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 Sliver Malware (GoLang): JA4=t13d190900_9dc949149365_97f8aa674fd9

Drag Post #5
John Althouse
@4A4133

## JA4Server - JA4S: TLS Server Response Fingerprint

Drag Post #6
John Althouse
@4A4133

Apply Image
Drag Post #7
John Althouse
@4A4133

Each TLS server may respond to different clients differently but will always respond to the same client with the same fingerprint which allows for higher fidelity detection.

Drag Post #8
John Althouse
@4A4133

AnyDesk: JA4=t12i550500_168bb377f8c8_a1e935682795 JA4S=t120300_009f_cef8820c8f19 SoftEther VPN: JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 JA4S=t130200_1302_a56c5b993250

Drag Post #9
John Althouse
@4A4133

Addigy (written in Go): JA4=t13d190900_9dc949149365_97f8aa674fd9 (Go) JA4S=t130200_1301_234ea6891581 <-- (Addigy server response to Go)

Drag Post #10
John Althouse
@4A4133

Sliver Malware (written in Go) JA4=t13d190900_9dc949149365_97f8aa674fd9 (Go) JA4S=t130200_1301_a56c5b993250 <-- (C2 response to Go)

Drag Post #11
John Althouse
@4A4133

When looking for certain traffic, rarely do you want to rely on JA4 alone as there could be too many FPs, instead you want to combine as many fingerprints and additional metadata as possible such as JA4 AND JA4S AND JA4X, etc.

Drag Post #12
John Althouse
@4A4133

The more fingerprints you can combine along with other metadata, the higher fidelity detection you can build.

Drag Post #13
John Althouse
@4A4133

## JA4HTTP - JA4H: HTTP Client Fingerprint

Drag Post #14
John Althouse
@4A4133

Apply Image
Drag Post #15
John Althouse
@4A4133

Apply Image
Drag Post #16
John Althouse
@4A4133

Parts 'a' and 'b' are effectively a fingerprint of the application. In the above example, Lumma C2 pretends to be the Tesla Browser in its user-agent string, yet you can clearly see that, when doing a post request over HTTP/1.1, their fingerprints look completely different. Just another reason to never trust user-agent strings.

Drag Post #17
John Althouse
@4A4133

Part 'c' is the fingerprint of the cookie. Each website/app defines what it's cookie fields should be, therefor everyone connecting to a Fortigate Firewall, for example, should all have the exact same JA4H_c fingerprint, because the cookie fields are set by the Fortigate upon login. Anyone with a different cookie is probably a hacking tool.

Drag Post #18
John Althouse
@4A4133

Part 'd' is the user's cookie fingerprint, this is unique to that user as it includes their session token and other specific data. This allows you to track a user through your site with JA4H_d and if it stays the same but the application fingerprint changes from Chrome to say, Cobalt Strike, then that's session hijacking. Easy.

Drag Post #19
John Althouse
@4A4133

## JA4X509 - JA4X: X509 TLS Certificate Fingerprint

Drag Post #20
John Althouse
@4A4133

JA4X fingerprints the structure of a cert, not the values within it. This essentially makes it a fingerprint of the application or script used to create a cert, not a fingerprint of the cert itself. As such, it's great for finding things like SOHO devices and malware C2s.