TLS Fingerprinting with JA3 and JA3S




TL;DR

In this blog post, I’ll go over how to utilize JA3 with JA3S as a method to fingerprint the TLS negotiation between client and server. This combined fingerprinting can assist in producing higher fidelity identification of the encrypted communication between a specific client and its server. For example — Standard Tor Client:

JA3 = e7d705a3286e19ea42f587b344ee6865 ( Tor Client )
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc( Tor Server Response )

The Tor servers always respond to the Tor client in exactly the same way, providing higher confidence that the traffic is indeed Tor. Further examples — Trickbot malware:

JA3 = 6734f37431670b3ab4292b8f60f29984 ( Trickbot )
JA3S = 623de93db17d313345d7ea481e7443cf( C2 Server Response )

Emotet malware:

JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 ( Emotet )
JA3S = 80b3a14bccc8598a1f3bbe83e71f735f ( C2 Server Response )

In these malware examples, the command and control server always responds to the malware client in exactly the same way; it does not deviate. So even though the traffic is encrypted and one ma