Giter VIP home page Giter VIP logo

ja3's Introduction

JA3 - Wireshark/tshark plugin

An implementation of the JA3 TLS client fingerprinting algorithm for wireshark/tshark.

Installation

  1. Copy ja3.lua to the plugin folder
  2. Download a copy of md5.lua and copy it to the plugin folder
    • Alternatively Ubuntu users can install a compatible library by running apt install lua-md5

Usage

In Wireshark, for TLS or SSL packets, this plugin will display additional information. JA3 information in form of full info and MD5-hash for client handshake packets. JA3S information will be displayed for server hello packets.

wget https://raw.githubusercontent.com/fullylegit/ja3/master/ja3.lua
wget https://raw.githubusercontent.com/kikito/md5.lua/master/md5.lua

cp -r ja3.lua md5.lua /usr/lib/x86_64-linux-gnu/wireshark/plugins
wireshark==>analyzer==>reolad lua plugins==>filter tls

ja3's People

Contributors

alberts-s avatar ezzizzle avatar fullylegit avatar gellanyhassan0 avatar jm33-m0 avatar r-graafmans avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

marshha r-graafmans hqjatu alberts-s ezzizzle 5l1v3r1 05t3 fpena06 andersonfti tducret gellanyhassan0 zhangdebiao vanplus suheylsbusiness toddmaxey jm33-m0 jqk6

ja3's Issues

unexpected symbol near '<'

When I try to add the ja3.lua and md5.lua to the Wireshark's plugin folder in my Ubuntu machine I get the following errors :-

Lua: syntax error: /home/ayush/.local/lib/wireshark/plugins/ja3.lua:8: unexpected symbol near '<'

Lua: syntax error: /home/ayush/.local/lib/wireshark/plugins/md5.lua:8: unexpected symbol near '<'

Can someone help me with this issue ?
I am using Ubuntu 20.04.4 LTS

Surprisingly I, didnt got this issue in my Windows machine

License for this project

Hi, can a license be added for this project? There are a few issues I came across, and I'd like to see if I can contribute with some fixes.

JA3 fingerprint discrepancy when compare with other JA3 tools

Thanks for plugin, I compared it's output with these JA3 online tools:

and found some discrepancy.

The difference happens because your plugin include some extension types into ja3 fingerprint, but these tools ignore these extensions and not include it into ja3 fingerprint. Both tools showing exactly the same JA3 fingerprint, but it is different from one calculated with this wireshark plugin. For example, it happens for the following extension types:

  • 20 (server_certificate_type)
  • 24 (token_binding)
  • 25 (cached_info),
  • 30032 (channel_id)
  • etc.

So, it looks that this plugin exclude GREASE values, but still include some other extension types into JA3 fingerprint. While other tools ignore these extension types.

For example you can compare Android Chrome v49 TLS fingerprint (it works with TLS 1.2).

Any idea which JA3 implementation is more correct?

JA3 hash is not correct

Hi,

I'm using Wireshark v3.2.1 on Windows and used following PCAP for testing the LUA script:
PCAP: https://www.malware-traffic-analysis.net/2020/01/29/2020-01-29-Qbot-infection-traffic.pcap.zip
Blog: https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/

Display Filter: ip.addr eq 68.1.115.106 and tls.handshake.type eq 11

I used Network Miner Professional to get the JA3 hash: 7dd50e112cd23734a310b90f6f44a7cd
I found this blacklisted JA3 hash on SSLBL by abuse.ch: https://sslbl.abuse.ch/ja3-fingerprints/7dd50e112cd23734a310b90f6f44a7cd/

ja3.lua gives me following JA3 hash: 7c02dbae662670040c7af9bd15fb7e2f

Please check. Thank you!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.