TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients
Contents
1. TLS fingerprinting: methods for identifying client and server software
2. TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients
2.1 Client TLS fingerprinting hash types
2.2 Tools for TLS fingerprinting of clients
2.2.5 Online service for displaying JA3 and JA4 fingerprints
2.3 Weaknesses of TLS fingerprints of clients.
2.4 JA3, JA3N and JA4 hash databases
2.5 Client TLS fingerprints may change in new software versions
2.6 TLS fingerprinting of QUIC clients
3. TLS fingerprinting of servers: hash types, utilities for displaying TLS fingerprints of servers
4. How to change TLS fingerprints and impersonate other applications. How to bypass filtering based on TLS fingerprinting
2.1 Client TLS fingerprinting hash types
JA3 is the original version of the client TLS fingerprint. Currently, the Google Chrome web browser actively resists obtaining this TLS fingerprint – as a result, for the Google Chrome web browser, this value is different every time.
JA3_FULL is the raw data used to obtain the JA3 hash.
JA3N is an improved version of JA3 – it sorts the part of the data whose order is randomized in Google Chrome, due to which the hash becomes the same for all Google Chrome requests (and other applications that use this method of preventing TLS fingerprinting).
JA3N_FULL is the raw data used to obtain the JA3N hash.
Note: if you are wondering what part of the data is randomized in Google Chrome, it is the third part of the hash component, i.e. SSLExtension (List of SSL Extensions) – the list of extensions in one version of Google Chrome remains unchanged, but the order in which they are listed changes with each request.
JA4 is the next version of the TLS client fingerprint. Currently, it gives the same results for the Google Chrome web browser. The JA4 TLS fingerprint is part of the JA4+ fingerprint group, their feature is that the fingerprints consist of several parts separated by the underscore character, for example:
t13d1516h2_8daaf6152771_02713d6af862
The first part encodes information and is not hashed, the second and third parts are truncated hashes.
Let's look at the structure of the first part of the hash (JA4_a): The first character (“t”) means the TCP protocol; There may also be a “q” character, which stands for the QUIC protocol. The next two characters stand for the TLS version: 1.2 = “12”, 1.3 = “13”. The next letter may be “d” or “i” – this is determined based on the Server Name Indication (SNI) TLS extension – if the extension is supported, that is, the TLS handshake contains the domain name for which it is intended, then the letter “d” is indicated, which means “domain”, if SNI is missing, then the letter “i” is indicated, which in this case means “IP”. Then comes a two-digit number – the number of cipher suites, excluding GREASE. Then another two-digit number – the number of extensions, excluding GREASE. Finally, the last two characters are taken from the Application-Layer Protocol Negotiation (ALPN) TLS extension value. If the ALPN extension is missing, then “00” is indicated.
The second part of the hash (JA4_b) is the truncated SHA256 hash: obtained by hashing the sorted Cipher Suite string.
The third part of the hash (JA4_c) is the truncated SHA256 hash: obtained by hashing the sorted Extensions + Signature Algorithms string in the order they appear.
More technical details about JA4 here: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
JA4_R is the raw data used to derive the JA4 hash.
JA4_o and its corresponding raw data string JA4_ro: this is a modification of the JA4 hash, in this hash the letter “o” stands for “original” – meaning the original order of the ciphers, without their sorting (as is done in JA4), but minus GREASE. This means that SNI (0000) and ALPN (0010) are included.
TS1 – uses more data for TLS fingerprinting clients, but is not yet ready. Homepage: https://github.com/lwthiker/ts1.
2.2 Tools for TLS fingerprinting of clients
2.2.1 Wireshark
Currently, Wireshark has implemented the display of JA3 and JA4 hashes, the corresponding filters are:
tls.handshake.ja3 tls.handshake.ja4
For more details, see here: Wireshark filters for software type identification (TLS fingerprinting)
2.2.2 TShark
TShark (in some Linux distributions, the package is called wireshark-cli) is a console interface for Wireshark. With TShark, you can do everything that you can do with Wireshark, and when it comes to automation, TShark is unrivaled.
The following command will capture traffic and output JA4 hashes:
sudo tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja4
Note: you may notice that the display filter specifies ja3, and the output field specifies ja4 – there is no error here, all packets for which ja3 is calculated also necessarily contain ja4, since the same data type is used to calculate them. That is, -Y "tls.handshake.ja3" can be replaced with -Y "tls.handshake.ja4" and absolutely nothing will change – you can choose either of these values.
The fields that will be displayed will be:
- IP or IPv6 address of the client
- IP or IPv6 address of the server
- Domain to which the request was sent
- JA4 hash
If you are not connected to an IPv6 network, you can remove the following options from the command:
-e ipv6.src -e ipv6.dst
A single command can display both JA3 and JA4 hashes:
sudo tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4
The following command analyzes a file with captured network traffic (the path to the file is specified after the -r option):
tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/ssl_443.pcapng
If you want to get JA3 and JA4 hashes for a specific program that made the request, you need to combine the command with one or more of the following filters:
IP or IPv6 address of the request source:
ip.src ipv6.src
IP or IPv6 address of the server to which the request was sent request:
ip.dst ipv6.dst
Moreover, you need to understand that for all applications on your computer the IP or IPv6 address is the same, therefore, to obtain the desired result, you need to do the following:
1) make a request with the client for which you want to receive JA3 and JA4 fingerprints to a specific web server on the Internet
2) filter in TShark the values in which the IP or IPv6 address of the server is specified as the destination IP.
For example, the following command will show JA3 and JA4 fingerprints for a client that sent a request to a server with IPv6 2604:a880:800:c1::2ae:d001:
tshark -Y "tls.handshake.ja3 and ipv6.dst == 2604:a880:800:c1::2ae:d001" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/just-test.pcapng
You can specify headers for the output and choose a different separator for the data fields (the default is a tab character). If you select a comma as a separator, such data can be saved to a .csv file and opened by a program that supports this format (for example, LibreOffice Calc or MS Excel).
tshark -E separator=',' -E header=y -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/just-test.pcapng > test.csv
If you want to see the full lines from which the JA3 and JA4 hashes are calculated, add the following options to your command:
-e tls.handshake.ja3_full -e tls.handshake.ja4_r
For example:
tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja3_full -e tls.handshake.ja4 -e tls.handshake.ja4_r -r /mnt/disk_d/Share/Captures/just-test.pcapng
If you prefer the JSON format, then instead of -T fields specify -T json, for example:
sudo tshark -E header=y -Y "tls.handshake.ja3" -T json -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4
Similarly, JSON output can be obtained by parsing capture files:
tshark -T json -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/ssl_443.pcapng
2.2.3 JA4+
The JA4+ repository contains various files, including a Python script that extracts JA4, JA4S, JA4H, JA4L, JA4LS, JA4X, JA4SSH, JA4T, JA4TS fingerprints from PCAP files.
For information on how to install this script from JA4+, see here: https://en.kali.tools/?p=1895 (section “How to install JA4+”).
Let's look at a few examples of using ja4.py from the JA4+ repository.
To print only JA4 hashes found in /mnt/disk_d/Share/Captures/ssl_443.pcapng:
python ja4.py --ja4 /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
Print all TLS fingerprint hash types found in /mnt/disk_d/Share/Captures/ssl_443.pcapng, using JSON format:
python ja4.py --json /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
Print all TLS fingerprint hash types found in /mnt/disk_d/Share/Captures/ssl_443.pcapng, plus print raw strings used to calculate hashes (-r), display the result on the screen in JSON format (--json):
python ja4.py -r --json /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
Print all TLS fingerprint hash types found in the file /mnt/disk_d/Share/Captures/just-test.pcapng only for packets where the target domain is suip.biz:
python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'domain': 'suip.biz'"
Example output:
2.2.4 JA3-JA4-scanner
All the previous tools do not have the ability to filter, for example, by User Agent (and this is normal, since the User Agent is transmitted encrypted and we cannot access it without decrypting the traffic). Therefore, to determine JA3 and JA4 for a specific program, you need to filter by IP where the packet was sent and hope that no other applications made a request to this server at that moment.
Let's formulate the problem: collect JA3 and JA4 fingerprints for various applications.
To solve this problem, you can use the following algorithm:
- Run TShark for a short time, and set up filters to display information about a single IP – and choose the one to which applications do not send data without the user's knowledge
- Make a request to the selected server with the program for which you need to get JA3 and JA4
You probably thought that it would be nice to write a small script that would automate this process. You just thought about it, and I already did it!
JA3-JA4-scanner is a utility that will show JA3 and JA4 fingerprints for a program on your computer (a web browser, a command line utility, or any other application that can make requests via HTTPS protocol).
The script only requires TShark – if your system does not have this program, then install it as shown in the section “How to install JA3-JA4-scanner”.
Then download the script itself:
wget https://kali.tools/files/scripts/ja3-ja4-scanner.sh
And run:
sudo bash ja3-ja4-scanner.sh
Now just open the address shown on the screen for which you want to find out the JA3 and JA4 hashes – as soon as the data is received, the program will display the results on the screen and exit. It couldn't be simpler – and you can determine JA3 and JA4 hashes for any application – from a web browser to a PHP script.
2.2.5 Online service for displaying JA3 and JA4 fingerprints
Finally, the simplest option is online services for scanning JA3 and JA4 fingerprints. I uploaded the ja3-ja4-scanner.sh script to my servers (it took a little modification) and now you can check JA3 and JA4 hashes online – just open the page with the program you want to find out JA3 and JA4 fingerprints for:
- Online scanner JA3 and JA4: https://w-e-b.site/?act=client-tls-fingerprinting
- Free online service for scanning TLS fingerprints of client applications (JA3 and JA4 scanner): https://suip.biz/?act=client-tls-fingerprinting
This online service has a version for console utilities, its address is https://suip.biz/?act=ja4, example of use:
curl -A 'Chrome' 'https://suip.biz/?act=ja4'
2.3 Weaknesses of TLS fingerprints of clients. What you need to know about TLS fingerprinting
1) For some applications, the hash may differ during the initial connection and during reconnection. This is due to the use of TLS session resumption. This technology must be supported by both the client application and the web server. This is usually typical for web browsers.
Despite all its advantages, TLS has quite a lot of “overhead” during the first connection: before the exchange of significant data, the client and server agree on protocol versions, cipher suites, send and verify the site certificate, send the encryption key, and double-check that everything has arrived without forgery and distortion in several cycles of mutual data exchange. TLS session resumption serves precisely to reduce the overhead during the second and all subsequent connections (usually this option remains until the web browser is closed).
But when using TLS session resumption, the TLS handshake during the second and all subsequent connections begins to differ. This results in one client being characterized by two hash values:
- initial connection
- all subsequent reconnections
Example of JA3N and JA4 hashes, as well as full strings used to calculate hashes obtained for the Google Chrome 130.0 web browser during the first connection:
JA3N: 4c9ce26028c11d7544da00d3f7e4f45c JA3N_FULL: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 JA4: t13d1516h2_8daaf6152771_02713d6af862 JA4_R: t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601
The same data for the same browser upon reconnection (as well as all subsequent reconnections, up to closing the web browser):
JA3N: 0a84b1bbbb8d2d6094a8d8218d6d69bc JA3N_FULL: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 JA4: t13d1517h2_8daaf6152771_b0da82dd1658 JA4_R: t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601
As you can see, the first two parts of the JA4 hash remain unchanged, but the last part changes. The JA3N hash changes completely. If you start delving into the full (raw) strings from which the hashes are calculated, you will notice that they are almost identical – only some values differ.
But (maximum) two values are not so bad – server TLS hashes are even worse 😄
2) Different groups of applications – malicious and harmless – can have the same hashes. For example, client applications using popular libraries or operating system sockets (such as Python, PowerShell, PHP, Windows Socket) will have the same hashes.
That is, if a virus is written in Python, PowerShell, PHP, it will have the same TLS fingerprints as other scripts in these programming languages and it will not be possible to distinguish it from useful programs. Or will it?
The authors of JA3 showed examples that a combination of client and server TLS fingerprints allows (in some cases) to clearly distinguish malware and even instantly track the movement of servers controlling botnets – regardless of changes in IP and domain names (details here: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/).
In addition, the network activity of Python and PowerShell scripts in a corporate environment of office workers is quite strange in itself and may be a signal that something is happening that should not happen.
3) TLS fingerprints can be spoofed, although this requires specialized software.
2.4 JA3, JA3N and JA4 hash databases
A brief summary of this section – I did not find anything comprehensive in open sources. But, of course, companies using TLS fingerprints have proprietary JA3, JA3N and JA4 databases. Let's look at what is freely available.
1) JA4 Database from the creators of JA4+
You can find the database from the creators of JA4+ on this page: https://ja4db.com/
You can even download it: https://ja4db.com/api/download/
To be honest, I was not impressed by this database – there is no PowerShell, no latest version of cURL, a lot of duplicates. It feels like this is just data extracted from captured traffic – I would like something better.
2) ja4plus-mapping.csv
I feel like I got more useful information than the first point from a small table located at this address (this table was also compiled by the authors of JA4+): https://github.com/FoxIO-LLC/ja4/blob/main/ja4plus-mapping.csv
3) Database of JA3, JA3N, and JA4 hashes for web browsers, programming languages, and utilities
Since I was not at all impressed by what I managed to find, I put together my own small database of JA3, JA3N, and JA4 hashes for the most popular (from my point of view) applications, utilities, and programming languages. The following table will help us evaluate how different or overlapping the hash values are for different types of applications and programming languages.
Apps | JA3 | JA3_FULL | JA3N | JA3N_FULL | JA4 | JA4_R | User Agent |
---|---|---|---|---|---|---|---|
Chrome / Chromium (Windows & Linux) (первое подключение) | N/A | N/A | 4c9ce26028c11d7544da00d3f7e4f45c | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1516h2_8daaf6152771_02713d6af862 | t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 |
Chrome / Chromium (Windows & Linux) (переподключение) | N/A | N/A | 0a84b1bbbb8d2d6094a8d8218d6d69bc | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1517h2_8daaf6152771_b0da82dd1658 | t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 |
FireFox (Windows & Linux) (первое подключение) | 2d692a4485ca2f5f2b10ecb2d2909ad3 | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-27-65037,4588-29-23-24-25-256-257,0 | 90634f51dcf65fc506946108904d6913 | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-5-10-11-13-16-23-27-28-34-35-43-45-51-65037-65281,4588-29-23-24-25-256-257,0 | t13d1716h2_5b57614c22b0_eeeea6562960 | t13d1716h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001b,001c,0022,0023,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 | Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0 |
FireFox (Windows & Linux) (переподключение) | 1bd037f4362e6fb24b2718009dd1049a | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-45-28-27-65037-41,4588-29-23-24-25-256-257,0 | ae5a0020003003358112604746bcef16 | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-5-10-11-13-16-23-27-28-34-41-43-45-51-65037-65281,4588-29-23-24-25-256-257,0 | t13d1716h2_5b57614c22b0_bdfeeec9ffef | t13d1716h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001b,001c,0022,0029,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 | Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0 |
Edge (Windows) (первое подключение) | N/A | N/A | 4c9ce26028c11d7544da00d3f7e4f45c | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1516h2_8daaf6152771_02713d6af862 | t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 |
Edge (Windows) (переподключение) | N/A | N/A | 0a84b1bbbb8d2d6094a8d8218d6d69bc | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1517h2_8daaf6152771_b0da82dd1658 | t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 |
Opera (Windows) (первое подключение) | N/A | N/A | 4c9ce26028c11d7544da00d3f7e4f45c | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1516h2_8daaf6152771_02713d6af862 | t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 |
Opera (Windows) (переподключение) | N/A | N/A | 0a84b1bbbb8d2d6094a8d8218d6d69bc | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1517h2_8daaf6152771_b0da82dd1658 | t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 |
Safari | |||||||
Android (Chrome) (Первое подключение) | N/A | N/A | 4c9ce26028c11d7544da00d3f7e4f45c | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 | t13d1516h2_8daaf6152771_02713d6af862 | t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 |
Android (Chrome) (Переподключение) | N/A | N/A | 74bbdbde1033b2f56a57e7ccc97d13fe | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,29-23-24,0 | t13d1517h2_8daaf6152771_b0da82dd1658 | t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 |
Android (Firefox) | 8bc88bfe0bd40b49be5cae8597feb9a2 | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-27-65037,29-23-24-25-256-257,0 | 54d3e8667a6b6db7fa9367de7ec127de | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-5-10-11-13-16-23-27-28-34-35-43-45-51-65037-65281,29-23-24-25-256-257,0 | t13d1716h2_5b57614c22b0_eeeea6562960 | t13d1716h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001b,001c,0022,0023,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 | Mozilla/5.0 (Android 14; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0 |
iPhone | 773906b0efdefa24a7f2b8eb6985bf37 | 771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10,0-23-65281-10-11-16-5-13-18-51-45-43-27-21,29-23-24-25,0 | 44f7ed5185d22c92b96da72dbe68d307 | 771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10,0-5-10-11-13-16-18-21-23-27-43-45-51-65281,29-23-24-25,0 | t13d2014h1_a09f3c656075_14788d8d241b | t13d2014h1_000a,002f,0035,009c,009d,1301,1302,1303,c008,c009,c00a,c012,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0015,0017,001b,002b,002d,0033,ff01_0403,0804,0401,0503,0203,0805,0805,0501,0806,0601,0201 | Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1 |
Прокси-сервер Squid | Передаётся от приложения, использующего прокси | ||||||
Python (requests, Windows) | a48c0d5f95b1ef98f560f324fd275da1 | 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103-255,0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 | 62fcc66dfa1611e219a93df2d1bb1b24 | 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103-255,0-10-11-13-16-21-22-23-43-45-49-51,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d1812h1_85036bcba153_b26ce05bbdd6 | t13d1812h1_0067,006b,009e,009f,00ff,1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | python-requests/2.32.3 |
Python (requests, Linux) | 47175ad2a36618e885e11d5dbe61a201 | 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-159-158-52394-49325-49324-49188-49192-49187-49191-49162-49172-49161-49171-49311-49310-107-103-57-51-157-156-49309-49308-61-60-53-47,65281-0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 | 3dad9b940b32a516735f72ca85f7bcac | 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-159-158-52394-49325-49324-49188-49192-49187-49191-49162-49172-49161-49171-49311-49310-107-103-57-51-157-156-49309-49308-61-60-53-47,0-10-11-13-16-21-22-23-43-45-49-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d3613h1_bcee18a5b459_e10b9050f4c9 |
t13d3613h1_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 |
python-requests/2.32.3 |
PowerShell (Invoke-WebRequest, Windows) (первое подключение) | 68b3ecfaf0034bb9fcbecd518b5ab8d4 | 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-43-13-35-10-11-51-49-23-65281-45,29-23-24,0 | fcc54fa6dc5ae1f61346221b10bc8680 | 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-10-11-13-23-35-43-45-49-51-65281,29-23-24,0 | t13d201100_2b729b4bf6f3_36bf25f296df | t13d201100_002f,0035,003c,003d,009c,009d,1301,1302,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_000a,000b,000d,0017,0023,002b,002d,0031,0033,ff01_0804,0805,0806,0401,0501,0201,0403,0503,0203,0202,0601,0603 | Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.6 |
PowerShell (Invoke-WebRequest, Windows) (переподключение) | 6ad69cecca55b3321a3261b1ae4aaab1 | 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-43-13-35-10-11-51-49-23-65281-45-41,29-23-24,0 | 9174d0d3b2705371807708013561fd0b | 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-10-11-13-23-35-41-43-45-49-51-65281,29-23-24,0 | t13d201200_2b729b4bf6f3_89322cc15493 | t13d201200_002f,0035,003c,003d,009c,009d,1301,1302,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_000a,000b,000d,0017,0023,0029,002b,002d,0031,0033,ff01_0804,0805,0806,0401,0501,0201,0403,0503,0203,0202,0601,0603 | Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.6 |
PowerShell (Invoke-WebRequest, Linux) (первое подключение) | fa6f215f4de3751f6cb7cac85602ab67 | 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,65281-0-11-10-35-5-22-23-13-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2 | eb1003f00e5d28ee81d9ee24d357e5d5 | 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,0-5-10-11-13-22-23-35-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d111200_c5d436628c5c_a6f532063c55 | t13d111200_1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0016,0017,0023,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | Mozilla/5.0 (Linux; Arch Linux; en-US) PowerShell/7.4.6 |
PowerShell (Invoke-WebRequest, Linux) (переподключение) | 12c6febee80767b58544b96f2a309026 | 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,65281-0-11-10-35-5-22-23-13-43-45-51-41,29-23-30-25-24-256-257-258-259-260,0-1-2 | 31ee3d9feeab3716116b2468d3fc2244 | 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,0-5-10-11-13-22-23-35-41-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d111300_c5d436628c5c_580f1b29fba7 | t13d111300_1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0016,0017,0023,0029,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | Mozilla/5.0 (Linux; Arch Linux; en-US) PowerShell/7.4.6 |
PHP (file_get_contents, Windows) | a468eae2a82cd86fea9fd0c541ed8ff0 | 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49326-49324-49314-49310-50-49312-49308-60-47-49327-49325-49315-49311-106-49313-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 | 0bae95ba86cab1d4e0fe0db9339f1519 | 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49326-49324-49314-49310-50-49312-49308-60-47-49327-49325-49315-49311-106-49313-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65-255,0-10-11-13-21-22-23-35-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d751100_479067518aa3_d41ae481755e | t13d751100_002f,0032,0033,0035,0038,0039,003c,003d,0040,0041,0044,0045,0067,006a,006b,0084,0087,0088,009c,009d,009e,009f,00a2,00a3,00ba,00bd,00be,00c0,00c3,00c4,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c050,c051,c052,c053,c056,c057,c05c,c05d,c060,c061,c072,c073,c076,c077,c09c,c09d,c09e,c09f,c0a0,c0a1,c0a2,c0a3,c0ac,c0ad,c0ae,c0af,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,0023,002b,002d,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | |
PHP (file_get_contents, Linux) | fc1b1608487e90882a99f985570f3398 | 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49324-49310-50-49308-60-47-49325-49311-106-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65,65281-0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 | d05baa862687f2cb8f8a74248b3d4ebe | 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49324-49310-50-49308-60-47-49325-49311-106-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65,0-10-11-13-21-22-23-35-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d681200_13e0e9e1c501_0b298858d6c1 | t13d681200_002f,0032,0033,0035,0038,0039,003c,003d,0040,0041,0044,0045,0067,006a,006b,0084,0087,0088,009c,009d,009e,009f,00a2,00a3,00ba,00bd,00be,00c0,00c3,00c4,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c050,c051,c052,c053,c056,c057,c05c,c05d,c060,c061,c072,c073,c076,c077,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,0023,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | |
PHP (cURL, Windows) | |||||||
PHP (cURL, Linux) | |||||||
Tor | c79653a3a53172c2304e6da72cd7aa2a | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-156-157,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0 | 0d918d348f893db516ba41ef6a22f5bf | 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-156-157,0-5-10-11-13-16-21-23-28-34-43-51-65281,29-23-24-25-256-257,0 | t13d1113h2_47af8f603342_f81080dfc557 | t13d1113h2_009c,009d,1301,1302,1303,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0015,0017,001c,0022,002b,0033,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 | Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 |
sqlmap | |||||||
WhatWeb | |||||||
WPScan | |||||||
cURL | 5ba6f86deff79afc9902f9927d1c1697 | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,65281-0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 | 36c45da3fc87b9fa46fae4e199884130 | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,0-10-11-13-16-21-22-23-43-45-49-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d3013h2_1d37bd780c83_e10b9050f4c9 | t13d3013h2_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | curl/8.10.1 |
wget | ac9e51091379e0dddbfbb33edd96398f | 771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,11-28-51-10-35-5-45-0-49-13-65281-43-21,23-24-25-29-30-256-257-258-259-260,0 | aeaf2f865911f886e3f721156a5f552e | 771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,0-5-10-11-13-21-28-35-43-45-49-51-65281,23-24-25-29-30-256-257-258-259-260,0 | t13d291300_723694b0fccc_899037bd0b8c | t13d291300_002f,0033,0035,0039,009c,009d,009e,009f,1301,1302,1303,1304,c009,c00a,c013,c014,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_0005,000a,000b,000d,0015,001c,0023,002b,002d,0031,0033,ff01_0401,0809,0804,0403,0807,0501,080a,0805,0503,0808,0601,080b,0806,0603,0201,0203 | Wget/1.24.5 |
GoLang | |||||||
ngrok (Win/Lin) | |||||||
openssl (s_client) | caf4ec11cce2d9dba8e2575080fc4dfb | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,65281-0-11-10-35-22-23-13-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2 | b993a03dac6e9e9770c5c542315b64f2 | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,0-10-11-13-22-23-35-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 | t13d301100_1d37bd780c83_ef4b9b248d72 | t13d301100_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0016,0017,0023,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | |
testssl.sh | |||||||
SSLyze | |||||||
WSL Ubuntu | |||||||
Puppeteer | |||||||
curl_chrome116 | ddf2256b916f994a5f4412d3caa096f0 | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,23-18-27-45-43-0-65281-51-11-17513-13-16-35-10-5-21,29-23-24,0 | aa56c057ad164ec4fdcb7a5a283be9fc | 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-21-23-27-35-43-45-51-17513-65281,29-23-24,0 | t13d1516h2_8daaf6152771_e5627efa2ab1 | t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,4469,ff01_0403,0804,0401,0503,0805,0501,0806,0601 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 |
Nmap | |||||||
HTTrack (WinHTTrack / WebHTTrack) | |||||||
Telegram | Pretends to be HTTP traffic, although it transmits encrypted data: ja4.ja4h == "po11nn07enus_99eca2ca61a8_000000000000_000000000000" | ||||||
Viber | 57fbe0aefee44901190849b0e877a5e1 | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-173-171-52398-52397-52396-157-169-52395-172-170-156-168-61-60-49208-49206-183-179-149-145-53-175-141-49207-49205-182-178-148-144-47-174-140-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2 | 2d384510d2e6e07594ac35e5188e66c9 | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-173-171-52398-52397-52396-157-169-52395-172-170-156-168-61-60-49208-49206-183-179-149-145-53-175-141-49207-49205-182-178-148-144-47-174-140-255,0-10-11-13-21-22-23-35-43-45-51,29-23-30-25-24,0-1-2 | t13d571100_131602cb7446_d41ae481755e | t13d571100_002f,0033,0035,0039,003c,003d,0067,006b,008c,008d,0090,0091,0094,0095,009c,009d,009e,009f,00a8,00a9,00aa,00ab,00ac,00ad,00ae,00af,00b2,00b3,00b6,00b7,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c035,c036,c037,c038,cca8,cca9,ccaa,ccab,ccac,ccad,ccae_000a,000b,000d,0015,0016,0017,0023,002b,002d,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 | |
MySQL | |||||||
Heritrix | |||||||
Evilginx |
NOTE: I am gradually filling the table – if I missed any interesting applications with HTTPS support, please write in the comments.
It is worth noting that web browsers based on Google Chrome / Chromium have the same TLS fingerprints. Other applications, programming languagesand libraries have unique TLS fingerprints.
2.5 Client TLS fingerprints may change in new software versions
Please note that the client TLS fingerprint is not something completely unchangeable.
We have already mentioned TLS session resumption and the fact that a client can have 2 constant TLS fingerprints.
It is also important to note that TLS fingerprints are not something predetermined for all software versions. If a client has updated the TLS library, then there is a high probability that its TLS fingerprints have changed.
At the same time, TLS, and especially its extensions, are currently developing rapidly and changing quite often.
For example, for web browsers, the TLS fingerprint may change with each new version. For Google Chrome, TLS fingerprints changed in the following major versions:
- 99
- 100
- 101
- 104
- 107
- 110
- 116
For Firefox, TLS fingerprints changed in the following major versions:
- 91esr
- 95
- 98
- 100
- 102
- 109
- 117
That is, TLS fingerprints change quite often, almost every major version of the web browser.
The situation is similar with programming languages and other programs and utilities – new major versions often carry changes in TLS fingerprints and all hashes.
On the one hand, this opens up opportunities to increase the accuracy of determining not only the type, but also the version of the client. On the other hand, this requires constant updating of the JA3, JA3N and JA4 hash database.
2.6 TLS fingerprinting of QUIC clients
QUIC (short for Quick UDP Internet Connections; pronounced quick) is an Internet protocol developed by Google in late 2012.
QUIC allows multiplexing of multiple data streams between two computers, working on top of the UDP protocol, and contains encryption capabilities equivalent to TLS and SSL. It has lower connection and transmission latency than TCP. It tolerates the loss of some packets well by aligning the boundaries of cryptographic blocks with the boundaries of packets. The protocol includes the ability to perform forward (predictive) error correction at the packet level, but in practice it is disabled.
See also:
TLS fingerprinting of clients (JA3 and JA4 hashes for QUIC protocol):
tls.handshake.ja3 && quic tls.handshake.ja4 && quic
JA3 and JA4 hashes of TLS protocol without QUIC:
tls.handshake.ja3 && ! quic tls.handshake.ja4 && ! quic
Related articles:
- TLS fingerprinting: methods for identifying client and server software (100%)
- Revealing the perimeter (CASE) (53.3%)
- How to search and brute force services on non-standard ports (52.5%)
- How to find out local IP addresses of ISP (51.7%)
- Tracerouting tools and methods (51.7%)
- New Kismet version (RANDOM - 0.3%)