JA3 was introduced in 2017 by Salesforce to fingerprint client Hello packets in a TLS/SSL handshake. This simple idea stirred up the real-world possibilities of using TLS fingerprinting to identify anomalous client applications in a network environment. This is quite useful when identifying unusual binaries and executables that conduct Command and Control operations using encrypted HTTPS channels. In late 2020, its server-side counterpart, JARM, was introduced and expanded a similar TLS based analysis to fingerprint servers. The core idea with JARM was to send ten specially crafted TLS Client Hello packets and capture the server’s responses. The servers’ responses would be unique enough for network administrators to identify anomalous connections within their corporate environment.
The infrastructure (e.g., IP address, hosting platform) does not influence these signatures, making them challenging to evade. Instead, the server’s Operating System and the development environment of the client app for JA3 and server app for JARM influence the outcome of these signatures. Meaning, it is not trivial for a threat actor to have a completely new JA3 or JARM fingerprint or to impersonate other applications, unlike other identifying mechanisms in HTTPS like User-Agent strings. This JA3 evasion challenge was present until the introduction of JA3Transport in 2019. JA3Transport is a library for evading client-side JA3 fingerprinting. It is a Go library that enables threat actors to wrap HTTPS sessions with a specific desired JA3 fingerprint to blend into existing traffic and avoid detection.
In this talk, we will present the server counterpart to JA3Transport. We will present a few methods of evading JARM based fingerprinting and provide a JARM randomizer proxy that can be placed in front of a Command and Control channel to thwart any JARM based block list. This randomizer proxy, written in Python 3, can be used out of the box or as a starting point for custom configuration in commodity and in-house C2 tools. We will also outline the challenges – the primary challenge being a cap on the limit of random signatures – of using the proxy and direction of future improvements.
We will also discuss scaling this tactic to avoid blocklists by generating signatures of larger sizes that would render any blocklist infeasible due to size. We will also discuss other ways to evade JARM based allow lists by (1) mimicking a targeted server’s configurations to have the desired fingerprint and (2) profiling and spoofing the specially crafted client Hello packets as well. We will conclude by providing the theoretical groundwork for future research and automation for these three tactics, and general directions for TLS based fingerprinting that is more difficult to evade.