Added 'JA3S Fingerprint' operation

2025-04-22 15:56:16 -04:00 · 2021-08-10 14:57:34 +01:00 · 2021-08-10 14:57:34 +01:00 · 289a417dfb
commit 289a417dfb
parent 8379a9b275
6 changed files with 217 additions and 16 deletions
--- a/src/core/config/Categories.json
+++ b/src/core/config/Categories.json
@ -193,7 +193,8 @@
            "Protobuf Decode",
            "VarInt Encode",
            "VarInt Decode",
-            "TLS JA3 Fingerprint",
+            "JA3 Fingerprint",
+            "JA3S Fingerprint",
            "Format MAC addresses",
            "Change IP format",
            "Group IP addresses",
--- a/src/core/operations/TLSJA3Fingerprint.mjs
+++ b/src/core/operations/TLSJA3Fingerprint.mjs
@ -18,17 +18,17 @@ import Stream from "../lib/Stream.mjs";
 import {runHash} from "../lib/Hash.mjs";

 /**
- * TLS JA3 Fingerprint operation
+ * JA3 Fingerprint operation
 */
-class TLSJA3Fingerprint extends Operation {
+class JA3Fingerprint extends Operation {

    /**
-     * TLSJA3Fingerprint constructor
+     * JA3Fingerprint constructor
     */
    constructor() {
        super();

-        this.name = "TLS JA3 Fingerprint";
+        this.name = "JA3 Fingerprint";
        this.module = "Crypto";
        this.description = "Generates a JA3 fingerprint to help identify TLS clients based on hashing together values from the Client Hello.<br><br>Input: A hex stream of the TLS Client Hello application layer.";
        this.infoURL = "https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967";
@ -202,4 +202,4 @@ const GREASE_CIPHERSUITES = [
    0xfafa
 ];

-export default TLSJA3Fingerprint;
+export default JA3Fingerprint;
--- a/src/core/operations/JA3SFingerprint.mjs
+++ b/src/core/operations/JA3SFingerprint.mjs
@ -0,0 +1,145 @@
+/**
+ * @author n1474335 [n1474335@gmail.com]
+ * @copyright Crown Copyright 2021
+ * @license Apache-2.0
+ *
+ * JA3S created by Salesforce
+ *   John B. Althouse
+ *   Jeff Atkinson
+ *   Josh Atkins
+ *
+ * Algorithm released under the BSD-3-clause licence
+ */
+
+import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
+import Utils from "../Utils.mjs";
+import Stream from "../lib/Stream.mjs";
+import {runHash} from "../lib/Hash.mjs";
+
+/**
+ * JA3S Fingerprint operation
+ */
+class JA3SFingerprint extends Operation {
+
+    /**
+     * JA3SFingerprint constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "JA3S Fingerprint";
+        this.module = "Crypto";
+        this.description = "Generates a JA3S fingerprint to help identify TLS servers based on hashing together values from the Server Hello.<br><br>Input: A hex stream of the TLS Server Hello record in the application layer.";
+        this.infoURL = "https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [
+            {
+                name: "Input format",
+                type: "option",
+                value: ["Hex", "Base64", "Raw"]
+            },
+            {
+                name: "Output format",
+                type: "option",
+                value: ["Hash digest", "JA3S string", "Full details"]
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        const [inputFormat, outputFormat] = args;
+
+        input = Utils.convertToByteArray(input, inputFormat);
+        const s = new Stream(new Uint8Array(input));
+
+        const handshake = s.readInt(1);
+        if (handshake !== 0x16)
+            throw new OperationError("Not handshake data.");
+
+        // Version
+        s.moveForwardsBy(2);
+
+        // Length
+        const length = s.readInt(2);
+        if (s.length !== length + 5)
+            throw new OperationError("Incorrect handshake length.");
+
+        // Handshake type
+        const handshakeType = s.readInt(1);
+        if (handshakeType !== 2)
+            throw new OperationError("Not a Server Hello.");
+
+        // Handshake length
+        const handshakeLength = s.readInt(3);
+        if (s.length !== handshakeLength + 9)
+            throw new OperationError("Not enough data in Server Hello.");
+
+        // Hello version
+        const helloVersion = s.readInt(2);
+
+        // Random
+        s.moveForwardsBy(32);
+
+        // Session ID
+        const sessionIDLength = s.readInt(1);
+        s.moveForwardsBy(sessionIDLength);
+
+        // Cipher suite
+        const cipherSuite = s.readInt(2);
+
+        // Compression Method
+        s.moveForwardsBy(1);
+
+        // Extensions
+        const extensionsLength = s.readInt(2);
+        const extensions = s.getBytes(extensionsLength);
+        const es = new Stream(extensions);
+        const exts = [];
+        while (es.hasMore()) {
+            const type = es.readInt(2);
+            const length = es.readInt(2);
+            es.moveForwardsBy(length);
+            exts.push(type);
+        }
+
+        // Output
+        const ja3s = [
+            helloVersion.toString(),
+            cipherSuite,
+            exts.join("-")
+        ];
+        const ja3sStr = ja3s.join(",");
+        const ja3sHash = runHash("md5", Utils.strToArrayBuffer(ja3sStr));
+
+        switch (outputFormat) {
+            case "JA3S string":
+                return ja3sStr;
+            case "Full details":
+                return `Hash digest:
+${ja3sHash}
+
+Full JA3S string:
+${ja3sStr}
+
+TLS Version:
+${helloVersion.toString()}
+Cipher Suite:
+${cipherSuite}
+Extensions:
+${exts.join("-")}`;
+            case "Hash digest":
+            default:
+                return ja3sHash;
+        }
+    }
+
+}
+
+export default JA3SFingerprint;