TLS fingerprinting of servers: hash types, utilities for displaying TLS fingerprints of servers
Contents
1. TLS fingerprinting: methods for identifying client and server software
2. TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients
3. TLS fingerprinting of servers: hash types, utilities for displaying TLS fingerprints of servers
3.1 TLS Server fingerprints are unstable and depend on the client request
3.3 Types of hashes for TLS fingerprinting servers
3.4 Tools for scanning TLS fingerprints of servers
3.4.6 Online service for showing JA3S and JA4S fingerprints
3.4.7 Online service for scanning JARM fingerprints
3.5 TLS fingerprinting of QUIC protocol for servers
3.6 JA3, JA3N and JA4 hash databases
4. How to change TLS fingerprints and impersonate other applications. How to bypass filtering based on TLS fingerprinting
3.1 TLS Server fingerprints are unstable and depend on the client request
In the previous section, we already noted such features of TLS client fingerprints as changing in new versions of programs.
Of course, TLS server fingerprints also do not remain unchanged forever. But (some) TLS server hashes have another feature: the data that the server sends in the TLS Server Hello depends on what the client sent. That is, the same server responds differently to different clients. In practice, this means that for one server you can get different JA3S and JA4S fingerprints if you make a request to this server, for example, using a web browser and the cURL utility, or using different web browsers.
However, the web server will respond to the same requests in the same way.
So, when working with JA3S and JA4S hashes, it may be important which client made the request during TLS fingerprinting.
And, again, it is important to remember that the client itself can change the data sent in the TLS Client Hello, which in turn will change the TLS Server Hello and ultimately this will lead to a change in the JA3S and JA4S hashes.
So, JA3S and JA4S can be compared if they are made during requests from the same clients with the same versions.
3.2 JA3S and JA4S hashes are great for identifying command and control (C2) infrastructure in combination with TLS client fingerprints
TLS fingerprints were developed to identify traffic that generates malware. In the case of communication within the command and control (C2) infrastructure, clients have the same Client Hello to which servers always respond with the same Server Hello. This ensures a stable result for JA3S and JA4S hashes.
It was also noted that JA4S in combination with JA4 significantly improves detection accuracy. That is, JA4 (client fingerprint) by itself is not always able to unambiguously identify a malicious client – as noted in the previous section, any Python scripts using the same library versions will have the same fingerprints. At the same time, server fingerprints, namely JA3S and JA4S hashes, also do not always give an unambiguous answer about whether the server is part of a botnet or legitimate software. But the combination of client and server TLS fingerprints gives extremely high accuracy results – in this case, you can instantly identify malicious clients, servers, and also track their movements if, for example, the C2 infrastructure changes IP and domains.
3.3 Types of hashes for TLS fingerprinting servers
3.3.1 JA3S
After creating JA3, the authors began experimenting with using the same method to obtain fingerprints from the server TLS handshake, the TLS Server Hello message. The JA3S method works by collecting the decimal byte values for the following fields in the Server Hello packet: Version, Accepted Cipher, and List of Extensions. It then concatenates these values together in order, using “,” to separate each field and “-” to separate each value within each field.
The order of the fields is:
TLSVersion,Cipher,Extensions
Example:
771,4866,43-51
If the TLS extensions in the Server Hello are not present, these fields are left blank. For example:
771,4866,
This screenshot shows which parts of the TLS Server Hello are used to calculate JA3S.
Then the MD5 hash is calculated for the resulting string:
echo -n '771,4866,43-51' | md5sum
This is the JA3S fingerprint:
15af977ce25de452b96affa2addb1036
Source: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
3.3.2 JA4S
In the previous part, we already looked at the JA4 fingerprint, which is part of the JA4+ group. The JA4S fingerprint also belongs to JA4+ and is also characterized by having three parts separated by an underscore. But for JA4S, the first two parts encode the collected information, and only the last part is a truncated hash. JA4S example:
t130200_1302_a56c5b993250
Let's look at the structure of the first part of the hash (JA4S_a): The first character (“t”) stands for the TCP protocol; there may also be a “q” character, which stands for the QUIC protocol. The next two characters stand for the TLS version: 1.2 = “12”, 1.3 = “13”. Then comes a two-digit number, the number of extensions. Then another two-digit number, which is the chosen Application-Layer Protocol Negotiation (ALPN). If the ALPN extension is missing, “00” is indicated.
The second part of the hash (JA4S_b) is the chosen Cipher Suite.
The third part of the hash (JA4S_c) is a truncated SHA256 hash: obtained by hashing the Extensions string in the order they appear.
Example of a raw JA4S_R string with the previous hash calculated:
t130200_1302_002b,0033
Source: https://blog.foxio.io/ja4%2B-network-fingerprinting
3.3.3 JARM
JARM is a Transport Layer Security (TLS) server identification tool that features active scanning. The hash (TLS fingerprint) that this utility produces is also called JARM.
JARM works by generating and actively sending 10 TLS Client Hello packets with different configurations to a target TLS server and capturing certain attributes of the TLS Server Hello responses. The server can respond to packets with different TLS Client Hello settings with different responses. The aggregated TLS server responses are then hashed in a specific way to create a JARM fingerprint.
JARM was created by the same team that developed JA3/S in 2017, a passive client-server TLS fingerprinting method that can now be found in most network security tools. But while JA3/S is passive, meaning it fingerprints clients and servers while sniffing network traffic, JARM is an active server fingerprinter.
The 10 TLS Client Hello packets in JARM were specifically crafted to extract unique responses from TLS servers. JARM sends different TLS versions, ciphers, and extensions in different orders to collect unique responses. Does the server support TLS 1.3? Will it negotiate TLS 1.3 with 1.2 ciphers? If we order the ciphers from weakest to strongest, which cipher will it choose? These are the types of unusual questions that JARM essentially asks the server to extract the most unique answers. The 10 answers are then hashed to produce the JARM fingerprint.
The JARM fingerprint hash is a hybrid hash, it uses a combination of a reversible and non-reversible hashing algorithm to produce a 62-character fingerprint. The first 30 characters consist of the cipher and TLS version chosen by the server for each of the 10 client greetings sent. “000” means the server refused to negotiate that client greeting. The remaining 32 characters are a truncated SHA256 hash of the cumulative extensions sent by the server (ignoring x509 certificate data). When comparing JARM fingerprints, if the first 30 characters are the same but the last 32 are different, it would indicate that the servers have very similar configurations accepting the same versions and ciphers, although not exactly identical given that the extensions are different.
Examples of JARM hashes:
29d29d00029d29d00042d42d0000002059a3b916699461c5923779b77cf06b 29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c
A group of application servers using the same TLS configuration should have the same JARM fingerprint.
In practice, JARM has an unpleasant feature: the JARM hash for the same server can differ depending on whether you specify the IP address of this server or the domain name that has the same IP address. More precisely, the first half of the hash is the same, but the second half is different. Perhaps there is some meaning in this, but I was unable to grasp it.
3.4 Tools for scanning TLS fingerprints of servers
3.4.1 Wireshark
Currently, Wireshark has implemented the display of JA3S hashes. To display the JA3S hash and the full string that was used to obtain JA3S, you can use the following filters:
tls.handshake.ja3s tls.handshake.ja3s_full
You can also make Wireshark show JA4S hashes – this requires installing a plugin – details on how to do this are described here.
After that, you will have access to additional Wireshark filters, including one for displaying the JA4S fingerprint and its full string:
ja4.ja4s ja4.ja4s_r
3.4.2 TShark
TShark (in some Linux distributions, the package is called wireshark-cli) is a console interface to Wireshark. With TShark, you can do everything that you can do with Wireshark, and when it comes to automation, TShark is unrivaled. To obtain JA4S hashes, you need to install the JA4+ Wireshark plugin.
The following command will capture traffic and output JA3S hashes:
sudo tshark -Y "tls.handshake.ja3s" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s
The fields that will be output will include:
- IP or IPv6 address of the client
- IP or IPv6 address of the server
- JA3S hash
If you are not connected to an IPv6 network, you can remove the following options from the command:
-e ipv6.src -e ipv6.dst
A single command can output both JA3S and JA4S hashes:
sudo tshark -Y "tls.handshake.ja3s" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e ja4.ja4s
The following command analyzes a file with captured network traffic (the path to the file is specified after the -r option):
tshark -Y "tls.handshake.ja3s" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e ja4.ja4s -r /mnt/disk_d/Share/Captures/ssl_443.pcapng
If you want to get JA3S and JA4S hashes for a specific server, you need to combine the command with one or more of the following filters for the IP or IPv6 address of the server to which the request was sent:
ip.src ipv6.src
Note that the ip.src and ipv6.src filters mean the IP address of the source from which the packet was sent. In this case, the source of the packet should be the server IP and with the “src” filter, since we are only interested in response packets from the server (only they contain TLS Server Hello), but not in packets sent from the client (since they only contain TLS Client Hello).
For example, the following command will show JA3S and JA4S fingerprints for a server with IPv6 2604:a880:800:c1::2ae:d001:
sudo tshark -Y "tls.handshake.ja3s and ipv6.src == 2604:a880:800:c1::2ae:d001" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e ja4.ja4s
You can specify headers for the output and choose a different separator for the data fields (the default is a tab character). If you choose a comma as the separator, such data can be saved to a .csv file and opened with a program that supports this format (for example, LibreOffice Calc or MS Excel).
sudo tshark -E separator=',' -E header=y -Y "tls.handshake.ja3s and ipv6.src == 2604:a880:800:c1::2ae:d001" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e ja4.ja4s > ja4s.csv
If you want to see the full lines from which the JA3 and JA4 hashes are calculated, then add the following options to your command:
-e tls.handshake.ja3s_full -e ja4.ja4s_r
For example:
sudo tshark -Y "tls.handshake.ja3s and ipv6.src == 2604:a880:800:c1::2ae:d001" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e tls.handshake.ja3s_full -e ja4.ja4s -e ja4.ja4s_r
If you prefer the JSON format, then use -T json instead of -T fields, for example:
sudo tshark -Y "tls.handshake.ja3s and ipv6.src == 2604:a880:800:c1::2ae:d001" -T json -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e tls.handshake.ja3s_full -e ja4.ja4s -e ja4.ja4s_r
Similarly, JSON output can be obtained by parsing capture files:
tshark -Y "tls.handshake.ja3s" -T json -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.ja3s -e ja4.ja4s -r /mnt/disk_d/Share/Captures/ssl_443.pcapng
3.4.3 JA4+
The JA4+ repository contains various files, among which there is a Python script that extracts JA4, JA4S, JA4H, JA4L, JA4LS, JA4X, JA4SSH, JA4T, JA4TS fingerprints from files PCAP.
For information on how to install this script from JA4+, see here: https://en.kali.tools/?p=1895 (section “How to install JA4+”).
Let's look at a few examples of using ja4.py from the JA4+ repository.
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng):
python ja4.py /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{'stream': 0, 'src': '127.0.0.1', 'dst': '127.0.0.1', 'srcport': '38502', 'dstport': '443', 'client_ttl': '64', 'server_ttl': '64', 'domain': 'hackware.local', 'JA4': 't13d2912h2_723694b0fccc_288f874c93d6', 'JA4S': 't130200_1302_a56c5b993250'}
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng) in JSON format (--json):
python ja4.py --json /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{ "stream": 0, "src": "127.0.0.1", "dst": "127.0.0.1", "srcport": "38502", "dstport": "443", "client_ttl": "64", "server_ttl": "64", "domain": "hackware.local", "JA4": "t13d2912h2_723694b0fccc_288f874c93d6", "JA4S": "t130200_1302_a56c5b993250" }
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/ssl_443.pcapng), and also print the raw strings used to calculate the hashes (-r), and display the result on the screen in JSON format (--json):
python ja4.py -r --json /mnt/disk_d/Share/Captures/ssl_443.pcapng
Sample output:
{ "stream": 0, "src": "127.0.0.1", "dst": "127.0.0.1", "srcport": "38502", "dstport": "443", "client_ttl": "64", "server_ttl": "64", "domain": "hackware.local", "JA4": "t13d2912h2_723694b0fccc_288f874c93d6", "JA4_r": "t13d2912h2_002f,0033,0035,0039,009c,009d,009e,009f,1301,1302,1303,1304,c009,c00a,c013,c014,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_0005,000a,000b,000d,0016,0017,001c,002b,0033,ff01_0401,0809,0804,0403,0807,0501,080a,0805,0503,0808,0601,080b,0806,0603,0201,0203", "JA4S": "t130200_1302_a56c5b993250", "JA4S_r": "t130200_1302_002b,0033" }
Print all TLS fingerprint hash types found in the traffic capture file (/mnt/disk_d/Share/Captures/just-test.pcapng), only for packets where the traffic source is the specified IPv6 ( | grep "'src': '2001:fb1:138:db4b:886:db58:ee8b:a7bc'"):
python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'src': '2001:fb1:138:db4b:886:db58:ee8b:a7bc'"
Example output:
3.4.4 JA3S-JA4S-scanner
JA3S-JA4S-scanner is a utility for actively scanning servers and getting their JA3S and JA4S hashes used for TLS fingerprinting (identification by TLS properties).
JA3S-JA4S-scanner can make requests to a specified server using clients with different TLS fingerprints; in addition to active scanning, this utility can extract JA3S and JA4S hashes from a capture file.
The JA3S-JA4S-scanner program has mandatory dependencies – all the details on their installation can be found on the official page of the utility here: (section “How to install JA3S-JA4S-scanner”).
At a minimum, you must install the console version of Wireshark, as well as the JA4+ Wireshark plugin. It is also recommended to install curl-impersonate to be able to make requests to servers using clients with different TLS fingerprints.
JA3S-JA4S-scanner has quite a few options, it also has a multi-threaded mode for scanning IP address ranges – for details, see the program help or the JA3S-JA4S-scanner page.
Let's look at examples of using JA3S-JA4S-scanner.
Scan a single IP address (-i 185.117.153.79):
sudo bash ja3s-ja4s-scanner.sh -i 185.117.153.79
Sample output:
================================================= Results for 185.117.153.79:443 JA3S: f4febc55ea12b31ae17cfb7e614afda8 JA3S_FULL: 771,4865,43-51 JA4S: t130200_1301_a56c5b993250 JA4S_R: t130200_1301_002b,0033 =================================================
Scan the specified host (-i w-e-b.site):
sudo bash ja3s-ja4s-scanner.sh -i w-e-b.site
Scan the specified host (-i hackware.local) on a non-standard port (-p 50433):
sudo bash ja3s-ja4s-scanner.sh -i hackware.local -p 50443
Scan the specified IPv6 address (-i 2001:4860:4860::8888):
sudo bash ja3s-ja4s-scanner.sh -i 2001:4860:4860::8888
Output:
================================================= Results for 2001:4860:4860::8888:443 JA3S: eb1d94daa7e0344597e756a1fb6e7054 JA3S_FULL: 771,4865,51-43 JA4S: t130200_1301_234ea6891581 JA4S_R: t130200_1301_0033,002b =================================================
Scan a single host (-i suip.biz) and save the results to a file (-o results.txt):
sudo bash ja3s-ja4s-scanner.sh -i suip.biz -o results.txt
Scan a single host (-i suip.biz) pretending to be Google Chrome (-u chrome):
sudo bash ja3s-ja4s-scanner.sh -i suip.biz -u chrome
Scan a single host (-i suip.biz) using cURL as the client application (-u curl) (note that the hash value may vary for different clients):
sudo bash ja3s-ja4s-scanner.sh -i suip.biz -u curl
Scan a subnet of IP addresses (-s 185.117.153.0/24) in 50 simultaneous threads (-m 50), without displaying results on the screen (-q) and saving the results to a file (-o results.txt):
sudo bash ja3s-ja4s-scanner.sh -s 185.117.153.0/24 -m 50 -q -o results.txt
Scan all targets specified in the file (-f targets.txt):
sudo bash ja3s-ja4s-scanner.sh -f targets.txt
Show all JA3S and JA4S hashes for the specified server (-i 185.117.153.79), using suip.biz.pcapng file (-e suip.biz.pcapng) as a data source:
sudo bash ja3s-ja4s-scanner.sh -i 185.117.153.79 -e suip.biz.pcapng
3.4.5 JARM
JARM is a Transport Layer Security (TLS) server identification tool that features active scanning.
The JARM hash has already been discussed above. It should be additionally noted that JARM hashes cannot be extracted from capture files – for the reason that JARM uses 10 specially constructed requests and therefore the JARM utility requires online scanning.
The advantages of JARM include the fact that this hash does not depend on the client request — that is, one server (or servers with identical settings) should issue the same TLS fingerprints.
Scan host w-e-b.site on default port and print results to screen:
python jarm.py w-e-b.site
Sample output:
Domain: w-e-b.site Resolved IP: 157.245.118.66 JARM: 29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c
Scan IP 185.117.153.79 on default port and print results to screen:
python jarm.py 185.117.153.79
Sample output:
Domain: 185.117.153.79 Resolved IP: 185.117.153.79 JARM: 29d2ad00029d29d00042d43d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb
Scan host hackware.local on port 50443 and print results to screen:
python jarm.py hackware.local -p 50443
Scan host suip.biz and in addition to the final hash print the collected data used to obtain the hash:
python jarm.py suip.biz -v
Example output:
Domain: suip.biz Resolved IP: 185.117.153.79 JARM: 29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c Scan 1: c02f|0303||ff01-0000-0001-000b-0023-0017, Scan 2: c030|0303||ff01-0000-0001-000b-0023-0017, Scan 3: |||, Scan 4: c02f|0303||ff01-0000-0001-000b-0023-0017, Scan 5: c02f|0303||ff01-0000-0001-000b-0023-0017, Scan 6: |||, Scan 7: 1302|0303||002b-0033, Scan 8: 1303|0303||002b-0033, Scan 9: |||, Scan 10: |||
Scan all targets from the file targets.txt and print the results to the screen:
python jarm.py -i targets.txt
Example of the file targets.txt contents:
hackware.ru kali.tools suip.biz suip.biz,443 157.245.118.66 157.245.118.66,443 w-e-b.site t.me google.com youtube.com hackware.local,50443
Scan all targets from the file targets.txt and save the results to a file in CSV format (-o results.csv):
python jarm.py -i targets.txt -o results.csv
Example of the file results.csv contents:
cat results.csv hackware.ru,185.26.122.82,29d29d00029d29d00042d42d0000002059a3b916699461c5923779b77cf06b kali.tools,185.26.122.59,29d29d00029d29d00042d42d0000002059a3b916699461c5923779b77cf06b suip.biz,185.117.153.79,29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c suip.biz,185.117.153.79,29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c 157.245.118.66,157.245.118.66,29d2ad00029d29d00042d43d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb 157.245.118.66,157.245.118.66,29d2ad00029d29d00042d43d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb w-e-b.site,157.245.118.66,29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c t.me,149.154.167.99,29d29d15d29d29d00042d42d0000005fd00fabd213a5ac89229012f70afd5c google.com,142.251.223.78,27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d youtube.com,172.217.26.78,27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d hackware.local,127.0.0.1,07d19d1ad21d21d07c42d43d000000112e88add4281e6a02c1102a6e18e86a
Scan all targets from the targets.txt file and save the results to a file (-o results.json) in JSON format (-j):
python jarm.py -i targets.txt -o results.json -j
3.4.6 Online service for showing JA3S and JA4S fingerprints
Free online service for scanning TLS fingerprints of servers (JA3S and JA4S scanner): https://suip.biz/?act=server-tls-fingerprinting
Mirror: https://w-e-b.site/?act=server-tls-fingerprinting
This service will show JA3S and JA4S fingerprints of the scanned server.
You just need to specify an IP or IPv6 address, or a domain, and very quickly you will be shown TLS fingerprints of this server. If you want to scan on a non-standard port, you can also specify a port with HTTPS for which you want to perform TLS Fingerprinting.
Note: if you need to scan an IPv6 address, use a mirror on w-e-b.site, since suip.biz is currently disconnected from the IPv6 network (for reasons beyond my control – I don't like it either, I'm thinking about moving).
3.4.7 Online service for scanning JARM fingerprints
Free online JARM hash scanner for TLS fingerprinting: https://suip.biz/?act=jarm
Mirror: https://w-e-b.site/?act=jarm
This online service will show JARM fingerprints for servers – you can specify an IP address or a domain name.
If the HTTPS service is running on a non-standard port, you can still perform TLS Fingerprinting – to do this, additionally specify the port that needs to be scanned to get the JARM fingerprint.
3.5 TLS fingerprinting of QUIC protocol for servers
QUIC (short for Quick UDP Internet Connections; pronounced quick) is an Internet protocol developed by Google in late 2012.
QUIC allows multiplexing of multiple data streams between two computers, working on top of the UDP protocol, and contains encryption capabilities equivalent to TLS and SSL. It has lower connection and transmission latency than TCP. It tolerates the loss of some packets well by aligning the boundaries of cryptographic blocks with the boundaries of packets. The protocol includes the ability to perform forward (predictive) error correction at the packet level, but in practice it is disabled.
See also:
TLS fingerprinting of servers – JA3S hash for QUIC protocol:
tls.handshake.ja3s && quic
TLS fingerprinting of servers – JA4S hash for QUIC protocol:
ja4.ja4s && quic
JA3S and JA4S hashes of TLS protocol without QUIC
tls.handshake.ja3s && ! quic ja4.ja4s && ! quic
3.6 JA3, JA3N and JA4 hash databases
Server software | Website | JA3S | JA3S_FULL | JA4S | JA4S_R | JARM |
---|---|---|---|---|---|---|
Cloudflare | 9ebc57def2efb523f25c77af13aa6d48 | 771,49195,0-23-65281-11-35-16-5 | t1207h2_c02b_d0d4e4171d74 | t1207h2_c02b_0017,ff01,000b,0023,0005 | 27d40d40d00040d1dc27d40d27d40d5fb4c89fe3813d172ffb53f84a68f750 | |
Hitch - scalable TLS proxy and:
|
suip.biz w-e-b.site |
f4febc55ea12b31ae17cfb7e614afda8 | 771,4865,43-51 | t130200_1301_a56c5b993250 | t130200_1301_002b,0033 |
29d2ad00029d29d00042d43d00000051af7d8070a18e002eaaedf620fa118c 29d2ad00029d29d00042d43d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb |
Apache/2.4.62 (Debian) | f4febc55ea12b31ae17cfb7e614afda8 | 771,4865,43-51 | t130200_1301_a56c5b993250 | t130200_1301_002b,0033 |
07d19d1ad21d21d07c42d43d000000112e88add4281e6a02c1102a6e18e86a 07d19d1ad21d21d07c42d43d0000008b344ab0cd56e121a8185dc3054afa3b |
|
google.com / 172.217.26.78 | eb1d94daa7e0344597e756a1fb6e7054 | 771,4865,51-43 | t130200_1301_234ea6891581 | t130200_1301_0033,002b | 27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d | |
youtube.com / 142.251.10.136 | eb1d94daa7e0344597e756a1fb6e7054 | 771,4865,51-43 | t130200_1301_234ea6891581 | t130200_1301_0033,002b | 27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d | |
I am gradually filling the table – if you have interesting ideas for adding software and sites, then write them in the comments.
Related articles:
- TLS fingerprinting: methods for identifying client and server software (81.8%)
- TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients (79.8%)
- Revealing the perimeter (CASE) (52%)
- How to search and brute force services on non-standard ports (51.9%)
- How to check if a website uses HSTS and HSTS preload (51.8%)
- Active Directory comprehensive guide, from installation and configuration to security auditing. Part 5: Join computers to Active Directory. Check and unjoin from Active Directory (RANDOM - 0.5%)