There are many sites who wrote about this TLS/SSL fingerprinting method.
JA3 and JA3S are passive fingerprints where are JARM is an active finger print.
More details on this by John Althouse himself here : https://medium.com/@jalthouse/great-question-11aa555f6b28
I decided to add JA3 and JA3S to my bro/zeek installation/detection threat hunting tools.
On the serveur who is running the span port and the RITA tool, I’m adding the ja3 package.
pip3 install bro-pkg
zkg list ja3 returns :
zeek/hosom/bro-ja3 – Generate and log ja3 ssl fingerprints
zeek/salesforce/ja3 – JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log.
zkg install zeek/salesforce/ja3
That’s it. Now the ssl.log file will containt two more columns JA3 and JA3S:
For JARM in a nutshell, it’s an active scanning. It’s sending 10 different TLS Hello’s and it’s generating a hash depending on the answer of the cyphers proposed.
Code source here : https://github.com/salesforce/jarm/blob/master/jarm.py or via gitpod https://gitpod.io/#/https://github.com/salesforce/jarm/blob/master/jarm.py
Shodan has now integrate the JARM scanner results for example to find CobaltStrike JARM signature0