A year ago I tried out JA3. Time for a new test.
This new version no longer crashes on some packets, it’s more stable. However, there’s a bug when producing json output, which is easy to fix.
The JA3 Python program no longer matches TLS fingerprints: it produces a list of data (including fingerprint) for each client Hello packet.
Running this new version on the same pcap file as a year ago (and extracting the fingerprints) yields exactly the same result: 445 unique fingerprints, 7588 in total.
I have more matches this time when matching with the latest version of ja3fingerprint.json: 75 matches compared to 24 a year ago.
Notice that Shodan is one of the matched fingerprints.
Let’s take a closer look:
I’m looking for connections with fingerprint digest 0b63812a99e66c82a20d30c3b9ba6e06:
80.82.77.33 is indeed Shodan:
Name: sky.census.shodan.io
Address: 80.82.77.33
Didier Stevens 
[…] Quickpost: Revisiting JA3 […]
Pingback by Overview of Content Published in August | Didier Stevens — Wednesday 5 September 2018 @ 0:00