Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Wireshark plugin] - JA4S_c not parsing enough extensions #207

Open
sgalac opened this issue Mar 4, 2025 · 0 comments
Open

[Wireshark plugin] - JA4S_c not parsing enough extensions #207

sgalac opened this issue Mar 4, 2025 · 0 comments
Assignees
@vlvkobal

Comments

@sgalac
Copy link

sgalac commented Mar 4, 2025

Example, yes this a misconfigured server:

TLSv1.2 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 94
    Handshake Protocol: Server Hello
        Handshake Type: Server Hello (2)
        Length: 90
        Version: TLS 1.2 (0x0303)
        Random: 67c708671cfdb380302492584cd3e7922d3a4e26744e779b444f574e47524401
        Session ID Length: 32
        Session ID: 3175b5627a01302c2b7f87388a997fb74c0646d5d47ef1154978cf39c2087677
        Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
        Compression Method: null (0)
        Extensions Length: 18
        Extension: server_name (len=0)
            Type: server_name (0)
            Length: 0
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
        Extension: application_layer_protocol_negotiation (len=5)
            Type: application_layer_protocol_negotiation (16)
            Length: 5
            ALPN Extension Length: 3
            ALPN Protocol
        [JA3S Fullstring: 771,52392,0-65281-16]
        [JA3S: c5baba5035a73677f54864d93349f451]

The JA4S fingerprint obtained is:

JA4 Fingerprint
    JA4S: t1203h3_cca8_bc98f8e001b5
    JA4S Raw: t1203h3_cca8_ff01

This is incorrect. The JA4S_c should be 0000_ff01_0010 - server name, reneg. info, ALPN
The number of extensions is correctly calculated.

Tested on Wireshark and the latest JA4 plugin (ja4-wireshark-plugins-2025.02.15.40)

Version 4.4.5 (v4.4.5-0-g47253bcf3773).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.78.4, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.11.7, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.
@vlvkobal vlvkobal self-assigned this Mar 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vlvkobal vlvkobal

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlvkobal @sgalac